CVE-2019-0210
Aliases:GHSA-jq7p-26h5-w78rGO-2021-0101
Advisory lineage Upstream: 0 Downstream: 9
Modified
Published: 28 Oct 2019, 22:22
Last modified:04 Aug 2024, 17:44
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
1.19% LOW
1% probability +0.83%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
28 Oct 2019, 22:22
Published
Vulnerability first disclosed
04 Aug 2024, 17:44
Last Modified
Vulnerability information updated
Description
In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS Trends
Current EPSS score: 1.19%• Percentile: 79%
Techniques & Countermeasures
- CWE-125•Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.
Affected Systems
- apache•apache thrift
0.9.3 to 0.12.0
- apache•thrift
≥ 0.9.3, ≤ 0.12.0
- github.com/apache•thrift
≥ 0.9.3, < 0.13.0 | ≥ 0.0.0-20151001171628-53dd39833a08, < 0.13.0
- oracle•communications_cloud_native_core_network_slice_selection_function
1.2.1
- redhat•jboss_enterprise_application_platform
7.2.0
References (21)
- https://access.redhat.com/errata/RHSA-2020:0806
- https://access.redhat.com/errata/RHSA-2020:0811
- https://access.redhat.com/errata/RHSA-2020:0804
- https://access.redhat.com/errata/RHSA-2020:0805
- https://lists.apache.org/thread.html/r55609613abab203a1f2c1f3de050b63ae8f5c4a024df0d848d6915ff%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rab740e5c70424ef79fd095a4b076e752109aeee41c4256c2e5e5e142%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r2832722c31d78bef7526e2c701ba4b046736e4c851473194a247392f%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r36581cc7047f007dd6aadbdd34e18545ec2c1eb7ccdae6dd47a877a9%40%3Ccommits.pulsar.apache.org%3E
- https://security.gentoo.org/glsa/202107-32
- https://www.oracle.com//security-alerts/cpujul2021.html
- http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3C277A46CA87494176B1BBCF5D72624A2A%40HAGGIS%3E
- https://nvd.nist.gov/vuln/detail/CVE-2019-0210
- https://github.com/apache/thrift/commit/264a3f318ed3e9e51573f67f963c8509786bcec2
- https://github.com/apache/thrift
- https://github.com/apache/thrift/blob/master/CHANGES.md#0130
- https://lists.apache.org/thread.html/r2832722c31d78bef7526e2c701ba4b046736e4c851473194a247392f@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r36581cc7047f007dd6aadbdd34e18545ec2c1eb7ccdae6dd47a877a9@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r55609613abab203a1f2c1f3de050b63ae8f5c4a024df0d848d6915ff@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rab740e5c70424ef79fd095a4b076e752109aeee41c4256c2e5e5e142@%3Ccommits.pulsar.apache.org%3E
- https://pkg.go.dev/vuln/GO-2021-0101
- https://www.oracle.com/security-alerts/cpujul2021.html