CVE-2016-5397

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Thrift
Vendor: CVE Published:; 12 February 2018

Summary

The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.

Affected Version(s)

Apache Thrift versions prior to 0.10.0

References

http://www.securityfocus.com/bid/103025

vdb-entryx_refsource_BID

https://access.redhat.com/errata/RHSA-2018:2669

vendor-advisoryx_refsource_REDHAT

https://issues.apache.org/jira/browse/THRIFT-3893

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 12, 2018
Vulnerability Reserved
Jun 10, 2016