Thrift Apache Thrift

Do you want an email whenever new security vulnerabilities are reported in Apache Thrift?

By the Year

In 2024 there have been 0 vulnerabilities in Apache Thrift . Thrift did not have any published security vulnerabilities last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 0 0.00
2022 0 0.00
2021 1 7.50
2020 0 0.00
2019 4 7.25
2018 1 8.80

It may take a day or so for new Thrift vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Thrift Security Vulnerabilities

In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages

CVE-2020-13949 7.5 - High - February 12, 2021

In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

Resource Exhaustion

In Apache Thrift all versions up to and including 0.12.0

CVE-2019-0205 7.5 - High - October 29, 2019

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.

Infinite Loop

In Apache Thrift 0.9.3 to 0.12.0

CVE-2019-0210 7.5 - High - October 29, 2019

In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.

Out-of-bounds Read

Apache Thrift Java client library versions 0.5.0 through 0.11.0

CVE-2018-1320 7.5 - High - January 07, 2019

Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.

Improper Certificate Validation

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in

CVE-2018-11798 6.5 - Medium - January 07, 2019

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.

Insertion of Sensitive Information into Externally-Accessible File or Directory

The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool

CVE-2016-5397 8.8 - High - February 12, 2018

The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.

Command Injection

The client libraries in Apache Thrift before 0.9.3 might

CVE-2015-3254 6.5 - Medium - June 16, 2017

The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function.

Improper Input Validation

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Apache Thrift or by Apache? Click the Watch button to subscribe.

Apache
Vendor

Apache Thrift
Product

subscribe