-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from insufficient validation of classes during Avro schema parsing. The key vulnerable function is FieldStringableConverter's constructor which lacked package trust validation (added in the patch via checkSecurity()). This allowed loading arbitrary classes specified in schemas. The convert() method would then instantiate these classes via reflection. The test case addition demonstrates exploitation via UntrustedStringableClass, while the security patch adds package checking to prevent this.
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.parquet:parquet-avro | maven | < 1.15.1 | 1.15.1 |
Ongoing coverage of React2Shell