[jira] [Commented] (CASSANDRA-15420) CVE-2019-0205(Apache Thrift all versions up to and including 0.12.0) on version Cassendra 3.11.4

Thu, 15 Apr 2021 07:06:07 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-15420?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17322201#comment-17322201
 ] 

Mark Denihan commented on CASSANDRA-15420:
------------------------------------------

This could be resolved by updating the libthrift jar to 0.9.3-1
Reference
https://issues.apache.org/jira/browse/THRIFT-5075
https://github.com/apache/thrift/pull/1993

> CVE-2019-0205(Apache Thrift all versions up to and including 0.12.0) on 
> version Cassendra 3.11.4
> ------------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-15420
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-15420
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Abhishek Singh
>            Priority: Normal
>
> *Description :**Description :* *Severity :* CVE CVSS 3: 7.5Sonatype CVSS 3: 
> 7.5
>  
>  *Weakness :* CVE CWE: 835
>  
>  *Source :* National Vulnerability Database
>  
>  *Categories :* Data 
>  *Description from CVE :* In Apache Thrift all versions up to and including 
> 0.12.0, a server or client may run into an endless loop when feed with 
> specific input data. Because the issue had already been partially fixed in 
> version 0.11.0, depending on the installed version it affects only certain 
> language bindings.
>  
>  *Explanation :* This issue has undergone the Sonatype Fast-Track process. 
> For more information, please see the Sonatype Knowledge Base Guide. 
>  *Detection :* The application is vulnerable by using this component. 
>  *Recommendation :* We recommend upgrading to a version of this component 
> that is not vulnerable to this specific issue.Note: If this component is 
> included as a bundled/transitive dependency of another component, there may 
> not be an upgrade path. In this instance, we recommend contacting the 
> maintainers who included the vulnerable package. Alternatively, we recommend 
> investigating alternative components or a potential mitigating control. 
>  *Advisories :* Project: 
> http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.m…
>  
>  *CVSS Details :* CVE CVSS 3: 7.5CVSS Vector: 
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
> *Occurences (Paths) :* ["apache-cassandra.zip" ; "apache-cassandra.zip"]
> *CVE :* CVE-2019-0205
> *URL :* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205
> *Remediation :* This component does not have any non-vulnerable Version. 
> Please contact the vendor to get this vulnerability fixed.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to