Apache Thrift
By the Year
In 2023 there have been 0 vulnerabilities in Apache Thrift . Thrift did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 7.50 |
| 2020 | 0 | 0.00 |
| 2019 | 4 | 7.25 |
| 2018 | 1 | 8.80 |
It may take a day or so for new Thrift vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Thrift Security Vulnerabilities
In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages
CVE-2020-13949
7.5 - High
- February 12, 2021
In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
Resource Exhaustion
In Apache Thrift all versions up to and including 0.12.0
CVE-2019-0205
7.5 - High
- October 29, 2019
In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.
Infinite Loop
In Apache Thrift 0.9.3 to 0.12.0
CVE-2019-0210
7.5 - High
- October 29, 2019
In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.
Out-of-bounds Read
Apache Thrift Java client library versions 0.5.0 through 0.11.0
CVE-2018-1320
7.5 - High
- January 07, 2019
Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
Improper Certificate Validation
The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in
CVE-2018-11798
6.5 - Medium
- January 07, 2019
The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.
Insertion of Sensitive Information into Externally-Accessible File or Directory
The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool
CVE-2016-5397
8.8 - High
- February 12, 2018
The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
Command Injection
The client libraries in Apache Thrift before 0.9.3 might
CVE-2015-3254
6.5 - Medium
- June 16, 2017
The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function.
Improper Input Validation
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Thrift or by Apache? Click the Watch button to subscribe.
