[ https://issues.apache.org/jira/browse/CASSANDRA-15420?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stefan Miklosovic updated CASSANDRA-15420: ------------------------------------------ Fix Version/s: (was: 2.2.x) > CVE-2019-0205(Apache Thrift all versions up to and including 0.12.0) on > version Cassendra 3.11.4 > ------------------------------------------------------------------------------------------------ > > Key: CASSANDRA-15420 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15420 > Project: Cassandra > Issue Type: Bug > Components: Messaging/Thrift > Reporter: Abhishek Singh > Assignee: Stefan Miklosovic > Priority: Normal > Fix For: 3.0.x, 3.11.x > > > *Description :**Description :* *Severity :* CVE CVSS 3: 7.5Sonatype CVSS 3: > 7.5 > > *Weakness :* CVE CWE: 835 > > *Source :* National Vulnerability Database > > *Categories :* Data > *Description from CVE :* In Apache Thrift all versions up to and including > 0.12.0, a server or client may run into an endless loop when feed with > specific input data. Because the issue had already been partially fixed in > version 0.11.0, depending on the installed version it affects only certain > language bindings. > > *Explanation :* This issue has undergone the Sonatype Fast-Track process. > For more information, please see the Sonatype Knowledge Base Guide. > *Detection :* The application is vulnerable by using this component. > *Recommendation :* We recommend upgrading to a version of this component > that is not vulnerable to this specific issue.Note: If this component is > included as a bundled/transitive dependency of another component, there may > not be an upgrade path. In this instance, we recommend contacting the > maintainers who included the vulnerable package. Alternatively, we recommend > investigating alternative components or a potential mitigating control. > *Advisories :* Project: > http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.m… > > *CVSS Details :* CVE CVSS 3: 7.5CVSS Vector: > CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H > *Occurences (Paths) :* ["apache-cassandra.zip" ; "apache-cassandra.zip"] > *CVE :* CVE-2019-0205 > *URL :* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205 > *Remediation :* This component does not have any non-vulnerable Version. > Please contact the vendor to get this vulnerability fixed. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org