Search CVE reports
1 – 10 of 11 results
CVE-2020-13949
Low priorityIn Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
1 affected packages
thrift
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
thrift | Needs evaluation | Needs evaluation | Needs evaluation | Not in release | Not in release |
CVE-2019-11939
Low priorityGolang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory...
1 affected packages
thrift
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
thrift | Needs evaluation | Needs evaluation | Needs evaluation | Not in release | Not in release |
CVE-2019-0210
Medium priorityIn Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.
1 affected packages
thrift
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
thrift | — | — | Not affected | Not in release | Not in release |
CVE-2019-0205
Medium priorityIn Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the...
1 affected packages
thrift
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
thrift | — | — | Not affected | Not in release | Not in release |
CVE-2019-3565
Medium priorityLegacy C++ Facebook Thrift servers (using cpp instead of cpp2) would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long...
3 affected packages
hhvm, reminders-app, thrift
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
hhvm | Not in release | Not in release | Not in release | Needs evaluation | Needs evaluation |
reminders-app | Not in release | Not in release | Not in release | Not in release | Needs evaluation |
thrift | Not affected | Not affected | Not affected | Not in release | Not in release |
CVE-2019-3564
Medium priorityGo Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to...
2 affected packages
golang-github-uber-go-tally, thrift
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
golang-github-uber-go-tally | Needs evaluation | Needs evaluation | Not in release | Not in release | Not in release |
thrift | Not affected | Not affected | Not affected | Not in release | Not in release |
CVE-2019-3559
Medium priorityJava Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to...
3 affected packages
hhvm, libthrift-java, thrift
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
hhvm | Not in release | Not in release | Not in release | Needs evaluation | Needs evaluation |
libthrift-java | Not affected | Not affected | Not in release | Vulnerable | Vulnerable |
thrift | Not affected | Not affected | Not affected | Not in release | Not in release |
CVE-2018-1320
Medium priorityApache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had...
1 affected packages
libthrift-java
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
libthrift-java | — | — | — | Fixed | Fixed |
CVE-2018-11798
Low priorityNot in release
The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.
1 affected packages
thrift
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
thrift | — | — | — | Not in release | Not in release |
CVE-2016-5397
Medium priorityThe Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
2 affected packages
thrift, thrift-compiler
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
thrift | Not affected | Not affected | Not affected | Not in release | Not in release |
thrift-compiler | Not in release | Not in release | Not in release | Vulnerable | Vulnerable |