Apache Software Security Update Advisory (CVE-2024-45720, CVE-2024-47561)
Overview
An update has been released to address vulnerabilities in Apache Software . Users of the affected versions are advised to update to the latest version.
Affected Products
CVE-2024-45720
- Subversion versions: ~ 1.14.3 (inclusive) (Windows)
CVE-2024-47561
- Apache Avro Java SDK versions: ~ 1.11.4 (excluded)
Resolved Vulnerabilities
Vulnerability in the Java SDK due to “best fit” character encoding conversion of command line arguments, which could lead to incorrect instruction interpretation, resulting in argument injection and program execution issues (CVE-2024-45720)
Vulnerability in the Java SDK via schema parsing that could allow malicious actors to execute arbitrary code (CVE-2024-47561)
Vulnerability Patches
The following product-specific Vulnerability Patches have been made available in the latest update. If you are using an affected version, Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
CVE-2024-45720
- Subversion version: 1.14.4 (Windows)
CVE-2024-47561
- Apache Avro Java SDK version: 1.11.4
- Apache Avro Java SDK version: 1.12.0
References
[1] CVE-2024-45720 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-45720
[2] Subversion command line argument injection on Windows platforms
https://subversion.apache.org/security/CVE-2024-45720-advisory.txt
[3] CVE-2024-47561 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-47561
[4] CVE-2024-47561: Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK)
https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x