[jira] [Comment Edited] (THRIFT-4997) Nexus Scan Reporting Security issue CVE-2019-0205 for Thrift:

Tue, 05 Nov 2019 23:56:21 -0800 


    [ 
https://issues.apache.org/jira/browse/THRIFT-4997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16968143#comment-16968143
 ] 

Jens Geyer edited comment on THRIFT-4997 at 11/6/19 7:56 AM:
-------------------------------------------------------------

I have no idea what the purpose of this ticket is. We know that, we fixed it 
long time ago and we also have a new release 0.13.0 for you to use. 


was (Author: jensg):
I have no idea what the purpose of this ticket is. We know tzat, we fixed it 
and we hjave a new release 0.13.0. Don't you have a home?

> Nexus Scan Reporting Security issue CVE-2019-0205 for Thrift: 
> --------------------------------------------------------------
>
>                 Key: THRIFT-4997
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4997
>             Project: Thrift
>          Issue Type: Bug
>    Affects Versions: 0.12.0
>            Reporter: Sachin Tappe
>            Priority: Major
>
> Description from CVE In Apache Thrift all versions up to and including 
> 0.12.0, a server or client may run into an endless loop when feed with 
> specific input data. Because the issue had already been partially fixed in 
> version 0.11.0, depending on the installed version it affects only certain 
> language bindings. Explanation
> This issue has undergone the Sonatype Fast-Track process. For more 
> information, please see the [Sonatype Knowledge Base 
> Guide|https://guides.sonatype.com/iqserver/technical-guides/sonatype-vuln-data/#when-is-vulnerability-data-available].
> Detection
> The application is vulnerable by using this component.
> Recommendation
> We recommend upgrading to a version of this component that is not vulnerable 
> to this specific issue.
> Note: If this component is included as a bundled/transitive dependency of 
> another component, there may not be an upgrade path. In this instance, we 
> recommend contacting the maintainers who included the vulnerable package. 
> Alternatively, we recommend investigating alternative components or a 
> potential mitigating control.
> Advisories Project: 
> [http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.m…|http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3CVI1PR0101MB2142E0EA19F582429C3AEBCBB1920%40VI1PR0101MB2142.eurprd01.prod.exchangelabs.com%3E]
>  CVSS Details CVE CVSS 3: 7.5 
>  CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to