Input Validation Flaw in Go Server Implementation in Apache Thrift
CVE-2019-0210

7.5HIGH

Key Information:

Vendor
Apache
Status
Apache Thrift
Vendor
CVE Published:
29 October 2019

Summary

Apache Thrift versions 0.9.3 to 0.12.0 are susceptible to an input validation flaw. When a server implemented in Go utilizes TJSONProtocol or TSimpleJSONProtocol, it may experience a panic if it receives invalid input data. This condition can disrupt the normal functioning of the server and lead to potential service outages.

Affected Version(s)

Apache Thrift 0.9.3 to 0.12.0

References

https://access.redhat.com/errata/RHSA-2020:0806
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2020:0811
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2020:0804
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.