Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-6yqn-2w2d-3yd3
Vulnerability ID VCID-6yqn-2w2d-3yd3
Aliases CVE-2023-39410
GHSA-rhrv-645h-fjfh
PYSEC-2023-188
Summary When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-20 Improper Input Validation
CWE-502 Deserialization of Untrusted Data
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-39410.json
epss 0.00061 https://api.first.org/data/v1/epss?cve=CVE-2023-39410
epss 0.00061 https://api.first.org/data/v1/epss?cve=CVE-2023-39410
epss 0.00061 https://api.first.org/data/v1/epss?cve=CVE-2023-39410
epss 0.00061 https://api.first.org/data/v1/epss?cve=CVE-2023-39410
epss 0.00061 https://api.first.org/data/v1/epss?cve=CVE-2023-39410
epss 0.00061 https://api.first.org/data/v1/epss?cve=CVE-2023-39410
epss 0.00061 https://api.first.org/data/v1/epss?cve=CVE-2023-39410
epss 0.00061 https://api.first.org/data/v1/epss?cve=CVE-2023-39410
epss 0.00061 https://api.first.org/data/v1/epss?cve=CVE-2023-39410
epss 0.00061 https://api.first.org/data/v1/epss?cve=CVE-2023-39410
epss 0.00061 https://api.first.org/data/v1/epss?cve=CVE-2023-39410
epss 0.00061 https://api.first.org/data/v1/epss?cve=CVE-2023-39410
epss 0.00061 https://api.first.org/data/v1/epss?cve=CVE-2023-39410
epss 0.00061 https://api.first.org/data/v1/epss?cve=CVE-2023-39410
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-rhrv-645h-fjfh
cvssv3.1 7.5 https://github.com/apache/avro
generic_textual HIGH https://github.com/apache/avro
cvssv3.1 7.5 https://github.com/apache/avro/commit/a12a7e44ddbe060c3dc731863cad5c15f9267828
generic_textual HIGH https://github.com/apache/avro/commit/a12a7e44ddbe060c3dc731863cad5c15f9267828
cvssv3.1 7.5 https://github.com/pypa/advisory-database/tree/main/vulns/avro/PYSEC-2023-188.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/avro/PYSEC-2023-188.yaml
cvssv3.1 7.5 https://issues.apache.org/jira/browse/AVRO-3819
generic_textual HIGH https://issues.apache.org/jira/browse/AVRO-3819
cvssv3.1 7.5 https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds
generic_textual HIGH https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds
ssvc Track https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-39410
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2023-39410
cvssv3.1 7.5 https://security.netapp.com/advisory/ntap-20240621-0006
generic_textual HIGH https://security.netapp.com/advisory/ntap-20240621-0006
ssvc Track https://security.netapp.com/advisory/ntap-20240621-0006/
cvssv3.1 7.5 https://www.openwall.com/lists/oss-security/2023/09/29/6
generic_textual HIGH https://www.openwall.com/lists/oss-security/2023/09/29/6
ssvc Track https://www.openwall.com/lists/oss-security/2023/09/29/6
cvssv3.1 7.5 http://www.openwall.com/lists/oss-security/2023/09/29/6
generic_textual HIGH http://www.openwall.com/lists/oss-security/2023/09/29/6
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-39410.json
https://api.first.org/data/v1/epss?cve=CVE-2023-39410
https://github.com/apache/avro
https://github.com/apache/avro/commit/a12a7e44ddbe060c3dc731863cad5c15f9267828
https://github.com/pypa/advisory-database/tree/main/vulns/avro/PYSEC-2023-188.yaml
https://issues.apache.org/jira/browse/AVRO-3819
https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds
https://security.netapp.com/advisory/ntap-20240621-0006
https://www.openwall.com/lists/oss-security/2023/09/29/6
http://www.openwall.com/lists/oss-security/2023/09/29/6
2242521 https://bugzilla.redhat.com/show_bug.cgi?id=2242521
CVE-2023-39410 https://nvd.nist.gov/vuln/detail/CVE-2023-39410
GHSA-rhrv-645h-fjfh https://github.com/advisories/GHSA-rhrv-645h-fjfh
RHSA-2023:7617 https://access.redhat.com/errata/RHSA-2023:7617
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-39410.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/avro
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/avro/commit/a12a7e44ddbe060c3dc731863cad5c15f9267828
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/avro/PYSEC-2023-188.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://issues.apache.org/jira/browse/AVRO-3819
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-26T19:07:20Z/ Found at https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-39410
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://security.netapp.com/advisory/ntap-20240621-0006
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-26T19:07:20Z/ Found at https://security.netapp.com/advisory/ntap-20240621-0006/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://www.openwall.com/lists/oss-security/2023/09/29/6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-26T19:07:20Z/ Found at https://www.openwall.com/lists/oss-security/2023/09/29/6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at http://www.openwall.com/lists/oss-security/2023/09/29/6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.19175
EPSS Score 0.00061
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:48:44.329740+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/avro/PYSEC-2023-188.yaml 38.0.0