Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXdqeGotZjhyZy05OXd4
Improper Input Validation in Apache Thrift
Apache Thrift Java client library versions 0.5.0 prior to 0.9.3-1 and 0.10.0 prior to 0.12.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
Permalink: https://github.com/advisories/GHSA-wjxj-f8rg-99wxJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXdqeGotZjhyZy05OXd4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 6 years ago
Updated: 9 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-wjxj-f8rg-99wx, CVE-2018-1320
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1320
- https://access.redhat.com/errata/RHSA-2019:2413
- https://lists.apache.org/thread.html/07c3cd5a2953a4b253eee4437b1397b1603d0f886437e19b657d2c54@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/187684ac8b94d55256253f5220cb55e8bd568afdf9a8a86e9bbb66c9@%3Cdevnull.infra.apache.org%3E
- https://lists.apache.org/thread.html/3d3b6849fcf4cd1e87703b3dde0d57aabeb9ba0193dc0cf3c97f545d@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/6b07f6f618155c777191b4fad8ade0f0cf4ed4c12a1a746ce903d816@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/8be5b16c02567fff61b1284e5df433a4e38617bc7de4804402bf62be@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/da5234b5e78f1c99190407f791dfe1bf6c58de8d30d15974a9669be3@%3Cuser.thrift.apache.org%3E
- https://lists.apache.org/thread.html/dbe3a39b48900318ad44494e8721f786901ba4520cd412c7698f534f@%3Cdev.storm.apache.org%3E
- https://lists.apache.org/thread.html/dfee89880c84874058c6a584d8128468f8d3c2ac25068ded91073adc@%3Cuser.storm.apache.org%3E
- https://lists.apache.org/thread.html/e825ff2f4e129c0ecdb6a19030b53c1ccdf810a8980667628d0c6a80@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r09c3dcdccf4b74ad13bda79b354e6b793255ccfe245cca1b8cee23f5@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r2278846f7ab06ec07a0aa31457235e0ded9191b216cba55f3f315f16@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r261972a3b14cf6f1dcd94b1b265e9ef644a38ccdf0d0238fa0c4d459@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r3d71a6dbb063aa61ba81278fe622b20bfe7501bb3821c27695641ac3@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/02/msg00008.html
- https://support.f5.com/csp/article/K36361684
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- http://www.openwall.com/lists/oss-security/2019/07/24/3
- https://lists.apache.org/thread.html/r1015eaadef8314daa9348aa423086a732cfeb998ceb5d42605c9b0b5@%3Ccommits.cassandra.apache.org%3E
- https://github.com/apache/thrift/releases/tag/0.9.3.1
- https://issues.apache.org/jira/browse/THRIFT-4506
- https://web.archive.org/web/20200227094237/http://www.securityfocus.com/bid/106551
- http://www.securityfocus.com/bid/106551
- https://github.com/apache/thrift/commit/7489ed6ac8bad64e72fa83ec9d53e1eeddca6c23
- https://github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e
- https://github.com/advisories/GHSA-wjxj-f8rg-99wx
Blast Radius: 31.1
Affected Packages
maven:org.apache.thrift:libthrift
Dependent packages: 1,290Dependent repositories: 14,005
Downloads:
Affected Version Ranges: >= 0.10.0, < 0.12.0, >= 0.5.0, < 0.9.3-1
Fixed in: 0.12.0, 0.9.3-1
All affected versions: 0.6.1, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.11.0
All unaffected versions: 0.9.3, 0.12.0, 0.13.0, 0.14.0, 0.14.1, 0.14.2, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.18.1, 0.19.0, 0.20.0, 0.21.0