[jira] [Updated] (CASSANDRA-15415) CVE-2019-0205 (Apache Thrift all versions up to and including 0.12.0 vulnerable) of severity 7.5

Brandon Williams (Jira) Mon, 17 Jan 2022 04:51:44 -0800


     [ 
https://issues.apache.org/jira/browse/CASSANDRA-15415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Brandon Williams updated CASSANDRA-15415:
-----------------------------------------
    Resolution: Fixed
        Status: Resolved  (was: Triage Needed)

> CVE-2019-0205 (Apache Thrift all versions up to and including 0.12.0 
> vulnerable) of severity 7.5
> ------------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-15415
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-15415
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Abhishek Singh
>            Priority: Normal
>
> *Description :**Description :* *Severity :* CVE CVSS 3: 7.5Sonatype CVSS 3: 
> 7.5
>  
>  *Weakness :* CVE CWE: 835
>  
>  *Source :* National Vulnerability Database
>  
>  *Categories :* Data 
>  *Description from CVE :* In Apache Thrift all versions up to and including 
> 0.12.0, a server or client may run into an endless loop when feed with 
> specific input data. Because the issue had already been partially fixed in 
> version 0.11.0, depending on the installed version it affects only certain 
> language bindings.
>  
>  *Explanation :* This issue has undergone the Sonatype Fast-Track process. 
> For more information, please see the Sonatype Knowledge Base Guide. 
>  *Detection :* The application is vulnerable by using this component. 
>  *Recommendation :* We recommend upgrading to a version of this component 
> that is not vulnerable to this specific issue.Note: If this component is 
> included as a bundled/transitive dependency of another component, there may 
> not be an upgrade path. In this instance, we recommend contacting the 
> maintainers who included the vulnerable package. Alternatively, we recommend 
> investigating alternative components or a potential mitigating control. 
>  *Advisories :* Project: 
> http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mâ€¦
>  
>  *CVSS Details :* CVE CVSS 3: 7.5CVSS Vector: 
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
> *Occurences (Paths) :* 
> ["TSO/windows_bao_devstudio_installer_8.2.01.zip/files/5d8b80e7a292.zip/plugins/com.bmc.ao.ui.studio.plugin_1.0.0.jar/lib/ecj-4.4.2.jar"
>  ; " apache-cassandra.zip/bin/cassandra.bat" ; " 
> apache-cassandra.zip/bin/cassandra.in.bat" ; " 
> apache-cassandra.zip/bin/cassandra.in.sh" ; " 
> apache-cassandra.zip/bin/cqlsh.bat" ; " 
> apache-cassandra.zip/bin/debug-cql.bat" ; " 
> apache-cassandra.zip/bin/source-conf.ps1" ; " 
> apache-cassandra.zip/bin/sstableloader.bat" ; " 
> apache-cassandra.zip/bin/sstablescrub.bat" ; " 
> apache-cassandra.zip/bin/sstableupgrade.bat" ; " 
> apache-cassandra.zip/bin/sstableverify.bat" ; " 
> apache-cassandra.zip/bin/stop-server" ; " 
> apache-cassandra.zip/bin/stop-server.ps1" ; " 
> apache-cassandra.zip/conf/README.txt" ; " 
> apache-cassandra.zip/conf/cassandra-rackdc.properties" ; " 
> apache-cassandra.zip/conf/cassandra-topology.properties" ; " 
> apache-cassandra.zip/conf/commitlog_archiving.properties" ; " 
> apache-cassandra.zip/conf/triggers/README.txt" ; " 
> apache-cassandra.zip/lib/ST4-4.0.8.jar" ; " 
> apache-cassandra.zip/lib/airline-0.6.jar" ; " 
> apache-cassandra.zip/lib/antlr-runtime-3.5.2.jar" ; " 
> apache-cassandra.zip/lib/commons-cli-1.1.jar" ; " 
> apache-cassandra.zip/lib/commons-lang3-3.1.jar" ; " 
> apache-cassandra.zip/lib/commons-math3-3.2.jar" ; " 
> apache-cassandra.zip/lib/compress-lzf-0.8.4.jar" ; " 
> apache-cassandra.zip/lib/concurrentlinkedhashmap-lru-1.4.jar" ; " 
> apache-cassandra.zip/lib/disruptor-3.0.1.jar" ; " 
> apache-cassandra.zip/lib/futures-2.1.6-py2.py3-none-any.zip" ; " 
> apache-cassandra.zip/lib/high-scale-lib-1.0.6.jar" ; " 
> apache-cassandra.zip/lib/jamm-0.3.0.jar" ; " 
> apache-cassandra.zip/lib/javax.inject.jar" ; " 
> apache-cassandra.zip/lib/jbcrypt-0.3m.jar" ; " 
> apache-cassandra.zip/lib/jcl-over-slf4j-1.7.7.jar" ; " 
> apache-cassandra.zip/lib/joda-time-2.4.jar" ; " 
> apache-cassandra.zip/lib/json-simple-1.1.jar" ; " 
> apache-cassandra.zip/lib/libthrift-0.9.2.jar" ; " 
> apache-cassandra.zip/lib/licenses/ST4-4.0.8.txt" ; " 
> apache-cassandra.zip/lib/licenses/antlr-runtime-3.5.2.txt" ; " 
> apache-cassandra.zip/lib/licenses/compress-lzf-0.8.4.txt" ; " 
> apache-cassandra.zip/lib/licenses/concurrent-trees-2.4.0.txt" ; " 
> apache-cassandra.zip/lib/licenses/ecj-4.4.2.txt" ; " 
> apache-cassandra.zip/lib/licenses/futures-2.1.6.txt" ; " 
> apache-cassandra.zip/lib/licenses/high-scale-lib-1.0.6.txt" ; " 
> apache-cassandra.zip/lib/licenses/jbcrypt-0.3m.txt" ; " 
> apache-cassandra.zip/lib/licenses/jcl-over-slf4j-1.7.7.txt" ; " 
> apache-cassandra.zip/lib/licenses/jna-4.2.2.txt" ; " 
> apache-cassandra.zip/lib/licenses/jstackjunit-0.0.1.txt" ; " 
> apache-cassandra.zip/lib/licenses/log4j-over-slf4j-1.7.7.txt" ; " 
> apache-cassandra.zip/lib/licenses/logback-classic-1.1.3.txt" ; " 
> apache-cassandra.zip/lib/licenses/logback-core-1.1.3.txt" ; " 
> apache-cassandra.zip/lib/licenses/lz4-1.3.0.txt" ; " 
> apache-cassandra.zip/lib/licenses/metrics-core-3.1.5.txt" ; " 
> apache-cassandra.zip/lib/licenses/metrics-jvm-3.1.5.txt" ; " 
> apache-cassandra.zip/lib/licenses/ohc-0.4.4.txt" ; " 
> apache-cassandra.zip/lib/licenses/reporter-config-base-3.0.3.txt" ; " 
> apache-cassandra.zip/lib/licenses/reporter-config3-3.0.3.txt" ; " 
> apache-cassandra.zip/lib/licenses/sigar-1.6.4.txt" ; " 
> apache-cassandra.zip/lib/licenses/six-1.7.3.txt" ; " 
> apache-cassandra.zip/lib/licenses/slf4j-api-1.7.7.txt" ; " 
> apache-cassandra.zip/lib/licenses/stream-2.5.2.txt" ; " 
> apache-cassandra.zip/lib/log4j-over-slf4j-1.7.7.jar" ; " 
> apache-cassandra.zip/lib/logback-classic-1.1.3.jar" ; " 
> apache-cassandra.zip/lib/logback-core-1.1.3.jar" ; " 
> apache-cassandra.zip/lib/lz4-1.3.0.jar" ; " 
> apache-cassandra.zip/lib/sigar-1.6.4.jar" ; " 
> apache-cassandra.zip/lib/sigar-bin/libsigar-amd64-freebsd-6.so" ; " 
> apache-cassandra.zip/lib/sigar-bin/libsigar-amd64-linux.so" ; " 
> apache-cassandra.zip/lib/sigar-bin/libsigar-amd64-solaris.so" ; " 
> apache-cassandra.zip/lib/sigar-bin/libsigar-ia64-hpux-11.sl" ; " 
> apache-cassandra.zip/lib/sigar-bin/libsigar-ia64-linux.so" ; " 
> apache-cassandra.zip/lib/sigar-bin/libsigar-pa-hpux-11.sl" ; " 
> apache-cassandra.zip/lib/sigar-bin/libsigar-ppc-aix-5.so" ; " 
> apache-cassandra.zip/lib/sigar-bin/libsigar-ppc-linux.so" ; " 
> apache-cassandra.zip/lib/sigar-bin/libsigar-ppc64-aix-5.so" ; " 
> apache-cassandra.zip/lib/sigar-bin/libsigar-ppc64-linux.so" ; " 
> apache-cassandra.zip/lib/sigar-bin/libsigar-s390x-linux.so" ; " 
> apache-cassandra.zip/lib/sigar-bin/libsigar-sparc-solaris.so" ; " 
> apache-cassandra.zip/lib/sigar-bin/libsigar-sparc64-solaris.so" ; " 
> apache-cassandra.zip/lib/sigar-bin/libsigar-universal-macosx.dylib" ; " 
> apache-cassandra.zip/lib/sigar-bin/libsigar-universal64-macosx.dylib" ; " 
> apache-cassandra.zip/lib/sigar-bin/libsigar-x86-freebsd-5.so" ; " 
> apache-cassandra.zip/lib/sigar-bin/libsigar-x86-freebsd-6.so" ; " 
> apache-cassandra.zip/lib/sigar-bin/libsigar-x86-linux.so" ; " 
> apache-cassandra.zip/lib/sigar-bin/libsigar-x86-solaris.so" ; " 
> apache-cassandra.zip/lib/sigar-bin/sigar-amd64-winnt.dll" ; " 
> apache-cassandra.zip/lib/sigar-bin/sigar-x86-winnt.dll" ; " 
> apache-cassandra.zip/lib/sigar-bin/sigar-x86-winnt.lib" ; " 
> apache-cassandra.zip/lib/six-1.7.3-py2.py3-none-any.zip" ; " 
> apache-cassandra.zip/lib/slf4j-api-1.7.7.jar" ; " 
> apache-cassandra.zip/lib/snakeyaml-1.11.jar" ; " 
> apache-cassandra.zip/lib/snappy-java-1.1.1.7.jar" ; " 
> apache-cassandra.zip/lib/stream-2.5.2.jar" ; " 
> apache-cassandra.zip/lib/thrift-server-0.3.7.jar" ; " 
> apache-cassandra.zip/pylib/cqlshlib/__init__.py" ; " 
> apache-cassandra.zip/pylib/cqlshlib/saferscanner.py" ; " 
> apache-cassandra.zip/pylib/cqlshlib/sslhandling.py" ; " 
> apache-cassandra.zip/pylib/cqlshlib/test/ansi_colors.py" ; " 
> apache-cassandra.zip/pylib/cqlshlib/test/basecase.py" ; " 
> apache-cassandra.zip/pylib/cqlshlib/test/test_cql_parsing.py" ; " 
> apache-cassandra.zip/pylib/cqlshlib/test/test_cqlsh_commands.py" ; " 
> apache-cassandra.zip/pylib/cqlshlib/test/test_cqlsh_invocation.py" ; " 
> apache-cassandra.zip/pylib/cqlshlib/test/test_cqlsh_parsing.py" ; " 
> apache-cassandra.zip/pylib/cqlshlib/test/winpty.py" ; " 
> apache-cassandra.zip/tools/bin/cassandra-stress.bat" ; " 
> apache-cassandra.zip/tools/bin/cassandra.in.bat" ; " 
> apache-cassandra.zip/tools/bin/cassandra.in.sh" ; " 
> apache-cassandra.zip/tools/bin/sstableexpiredblockers.bat" ; " 
> apache-cassandra.zip/tools/bin/sstablelevelreset.bat" ; " 
> apache-cassandra.zip/tools/bin/sstablemetadata.bat" ; " 
> apache-cassandra.zip/tools/bin/sstableofflinerelevel.bat" ; " 
> apache-cassandra.zip/tools/bin/sstablerepairedset.bat" ; " 
> apache-cassandra.zip/tools/bin/sstablesplit.bat"]
> *CVE :* CVE-2019-0205
> *URL :* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205
> *Remediation :* This component does not have any non-vulnerable Version. 
> Please contact the vendor to get this vulnerability fixed.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (CASSANDRA-15415) CVE-2019-0205 (Apache Thrift all versions up to and including 0.12.0 vulnerable) of severity 7.5

Reply via email to