{"url":"http://public2.vulnerablecode.io/api/packages/36171?format=json","purl":"pkg:pypi/avro@1.5.3","type":"pypi","namespace":"","name":"avro","version":"1.5.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.11.5","latest_non_vulnerable_version":"1.11.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37210?format=json","vulnerability_id":"VCID-cfcn-gwwn-ybe8","summary":"Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.\n\nThis issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.\n\nUsers are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.","references":[{"reference_url":"https://github.com/apache/avro","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/avro"},{"reference_url":"https://github.com/apache/avro/commit/84bc7322ca1c04ab4a8e4e708acf1e271541aac4","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/avro/commit/84bc7322ca1c04ab4a8e4e708acf1e271541aac4"},{"reference_url":"https://github.com/apache/avro/pull/3150","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/avro/pull/3150"},{"reference_url":"https://issues.apache.org/jira/browse/AVRO-4053","reference_id":"","reference_type":"","scores":[],"url":"https://issues.apache.org/jira/browse/AVRO-4053"},{"reference_url":"https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEAVRO-15282783","reference_id":"","reference_type":"","scores":[],"url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEAVRO-15282783"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/02/12/2","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"http://www.openwall.com/lists/oss-security/2026/02/12/2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-33042","reference_id":"CVE-2025-33042","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-33042"},{"reference_url":"https://github.com/advisories/GHSA-rp46-r563-jrc7","reference_id":"GHSA-rp46-r563-jrc7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rp46-r563-jrc7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47602?format=json","purl":"pkg:pypi/avro@1.11.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/avro@1.11.5"}],"aliases":["CVE-2025-33042","GHSA-rp46-r563-jrc7","PYSEC-2026-26"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cfcn-gwwn-ybe8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36559?format=json","vulnerability_id":"VCID-p54a-fes2-x7gu","summary":"When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.\n\nThis issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2.  Users should update to apache-avro version 1.11.3 which addresses this issue.","references":[{"reference_url":"https://github.com/apache/avro","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/avro"},{"reference_url":"https://github.com/apache/avro/commit/a12a7e44ddbe060c3dc731863cad5c15f9267828","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/avro/commit/a12a7e44ddbe060c3dc731863cad5c15f9267828"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/avro/PYSEC-2023-188.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/avro/PYSEC-2023-188.yaml"},{"reference_url":"https://issues.apache.org/jira/browse/AVRO-3819","reference_id":"","reference_type":"","scores":[],"url":"https://issues.apache.org/jira/browse/AVRO-3819"},{"reference_url":"https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240621-0006","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20240621-0006"},{"reference_url":"https://www.openwall.com/lists/oss-security/2023/09/29/6","reference_id":"","reference_type":"","scores":[],"url":"https://www.openwall.com/lists/oss-security/2023/09/29/6"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/09/29/6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"http://www.openwall.com/lists/oss-security/2023/09/29/6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39410","reference_id":"CVE-2023-39410","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39410"},{"reference_url":"https://github.com/advisories/GHSA-rhrv-645h-fjfh","reference_id":"GHSA-rhrv-645h-fjfh","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rhrv-645h-fjfh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36197?format=json","purl":"pkg:pypi/avro@1.11.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cfcn-gwwn-ybe8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/avro@1.11.3"}],"aliases":["CVE-2023-39410","GHSA-rhrv-645h-fjfh","PYSEC-2023-188"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p54a-fes2-x7gu"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/avro@1.5.3"}