[ https://issues.apache.org/jira/browse/THRIFT-4997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jens Geyer resolved THRIFT-4997. -------------------------------- Resolution: Duplicate I have no idea what the purpose of this ticket is. We know tzat, we fixed it and we hjave a new release 0.13.0. Don't you have a home? > Nexus Scan Reporting Security issue CVE-2019-0205 for Thrift: > -------------------------------------------------------------- > > Key: THRIFT-4997 > URL: https://issues.apache.org/jira/browse/THRIFT-4997 > Project: Thrift > Issue Type: Bug > Affects Versions: 0.12.0 > Reporter: Sachin Tappe > Priority: Major > > Description from CVE In Apache Thrift all versions up to and including > 0.12.0, a server or client may run into an endless loop when feed with > specific input data. Because the issue had already been partially fixed in > version 0.11.0, depending on the installed version it affects only certain > language bindings. Explanation > This issue has undergone the Sonatype Fast-Track process. For more > information, please see the [Sonatype Knowledge Base > Guide|https://guides.sonatype.com/iqserver/technical-guides/sonatype-vuln-data/#when-is-vulnerability-data-available]. > Detection > The application is vulnerable by using this component. > Recommendation > We recommend upgrading to a version of this component that is not vulnerable > to this specific issue. > Note: If this component is included as a bundled/transitive dependency of > another component, there may not be an upgrade path. In this instance, we > recommend contacting the maintainers who included the vulnerable package. > Alternatively, we recommend investigating alternative components or a > potential mitigating control. > Advisories Project: > [http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.m…|http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3CVI1PR0101MB2142E0EA19F582429C3AEBCBB1920%40VI1PR0101MB2142.eurprd01.prod.exchangelabs.com%3E] > CVSS Details CVE CVSS 3: 7.5 > CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H -- This message was sent by Atlassian Jira (v8.3.4#803005)