Miggo Logo

CVE-2021-43045: Allocation of Resources Without Limits or Throttling in Apache Avro

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.67305%
Published
1/8/2022
Updated
9/26/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Apache.Avronuget< 1.11.01.11.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unvalidated length values in string deserialization. The GitHub PR #1357 shows the fix added length validation checks in BinaryDecoder.ReadString(), and JIRA tickets AVRO-3225/AVRO-3226 explicitly reference these issues in the .NET implementation. The pre-patch code used unchecked 'ReadInt()' results for memory allocations, making it vulnerable to malicious payloads with invalid length values.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility in t** .N*T S*K o* *p**** *vro *llows *n *tt**k*r to *llo**t* *x**ssiv* r*sour**s, pot*nti*lly **usin* * **ni*l-o*-s*rvi** *tt**k. T*is issu* *****ts .N*T *ppli**tions usin* *p**** *vro v*rsion *.**.* *n* prior v*rsions. Us*rs s*oul*

Reasoning

T** vuln*r**ility st*ms *rom unv*li**t** l*n*t* v*lu*s in strin* **s*ri*liz*tion. T** *it*u* PR #**** s*ows t** *ix ***** l*n*t* v*li**tion ****ks in `*in*ry***o**r.R***Strin*()`, *n* JIR* ti*k*ts *VRO-****/*VRO-**** *xpli*itly r***r*n** t**s* issu*s