Command Injection Vulnerability in Apache Thrift Go Client Library
CVE-2016-5397

8.8HIGH

Key Information:

Vendor
Apache
Status
Apache Thrift
Vendor
CVE Published:
12 February 2018

Summary

The Apache Thrift Go client library has a security vulnerability that could allow command injection during code generation due to the utilization of an external formatting tool. This flaw is particularly prevalent in Apache Thrift versions 0.9.3 and earlier and has been resolved in version 0.10.0. Proper validation and sanitization of user input is crucial to prevent potential exploitation.

Affected Version(s)

Apache Thrift versions prior to 0.10.0

References

http://www.securityfocus.com/bid/103025
vdb-entryx_refsource_BID
https://access.redhat.com/errata/RHSA-2018:2669
vendor-advisoryx_refsource_REDHAT
https://issues.apache.org/jira/browse/THRIFT-3893
x_refsource_CONFIRM

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.