Apache Thrift
By the Year
In 2021 there have been 1 vulnerability in Apache Thrift with an average score of 7.5 out of ten. Thrift did not have any published security vulnerabilities last year. That is, 1 more vulnerability have already been reported in 2021 as compared to last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2021 | 1 | 7.50 |
2020 | 0 | 0.00 |
2019 | 4 | 7.25 |
2018 | 1 | 8.80 |
It may take a day or so for new Thrift vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.
Latest Apache Thrift Security Vulnerabilities
In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages
CVE-2020-13949
7.5 - High
- February 12, 2021
In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
CVE-2020-13949 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Uncontrolled Resource Consumption ('Resource Exhaustion')
In Apache Thrift 0.9.3 to 0.12.0
CVE-2019-0210
7.5 - High
- October 29, 2019
In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.
CVE-2019-0210 is exploitable with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Out-of-bounds Read
In Apache Thrift all versions up to and including 0.12.0
CVE-2019-0205
7.5 - High
- October 29, 2019
In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.
CVE-2019-0205 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Loop with Unreachable Exit Condition ('Infinite Loop')
Apache Thrift Java client library versions 0.5.0 through 0.11.0
CVE-2018-1320
7.5 - High
- January 07, 2019
Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
CVE-2018-1320 is exploitable with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.
Improper Input Validation
The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in
CVE-2018-11798
6.5 - Medium
- January 07, 2019
The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.
CVE-2018-11798 is exploitable with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
File and Directory Information Exposure
The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool
CVE-2016-5397
8.8 - High
- February 12, 2018
The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
CVE-2016-5397 can be explotited with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.
Improper Neutralization of Special Elements used in a Command ('Command Injection')