Uninitialized Memory Bug in Apache Arrow Affecting Multiple Implementations
CVE-2019-12408

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Arrow
Vendor: CVE Published:; 8 November 2019

Summary

A significant vulnerability has been identified in the C++ implementation of Apache Arrow, specifically in versions 0.14.0 to 0.14.1. This flaw arises when building arrays that contain null values, leading to the potential exposure of uninitialized memory. This memory might inadvertently be shared during transmission of Arrow Arrays over the network or when stored in streaming IPC formats and file systems. Such exposure raises critical concerns regarding data integrity and security.

Affected Version(s)

Apache Arrow Apache Arrow 0.14.0 to 0.14.1

References

https://lists.apache.org/thread.html/49f067b1c5fb7493d952...

x_refsource_CONFIRM

https://lists.apache.org/thread.html/efd8bbf57427d3c303b5...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 8, 2019
Vulnerability Reserved
May 28, 2019