Vulnerability Name:

CVE-2019-0205 (CCN-169460)

Assigned:2018-11-14
Published:2019-10-17
Updated:2022-04-18
Summary:In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:7.8 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-835
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2019-0205

Source: MISC
Type: Mailing List, Vendor Advisory
http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3CVI1PR0101MB2142E0EA19F582429C3AEBCBB1920%40VI1PR0101MB2142.eurprd01.prod.exchangelabs.com%3E

Source: CCN
Type: Apache Web site
Thrift

Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0804

Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0805

Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0806

Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0811

Source: XF
Type: UNKNOWN
apache-thrift-cve20190205-dos(169460)

Source: MLIST
Type: Mailing List, Vendor Advisory
[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15420) CVE-2019-0205(Apache Thrift all versions up to and including 0.12.0) on version Cassendra 3.11.4

Source: MLIST
Type: Mailing List, Vendor Advisory
[thrift-dev] 20191106 [jira] [Assigned] (THRIFT-4997) Nexus Scan Reporting Security issue CVE-2019-0205 for Thrift:

Source: MLIST
Type: Mailing List, Vendor Advisory
[thrift-dev] 20191106 [jira] [Resolved] (THRIFT-4997) Nexus Scan Reporting Security issue CVE-2019-0205 for Thrift:

Source: MLIST
Type: Mailing List, Vendor Advisory
[thrift-user] 20191108 Re: CVE-2019-0205

Source: MLIST
Type: Mailing List, Vendor Advisory
[thrift-user] 20191107 CVE-2019-0205

Source: MLIST
Type: Mailing List, Vendor Advisory
[thrift-dev] 20191106 [jira] [Created] (THRIFT-4997) Nexus Scan Reporting Security issue CVE-2019-0205 for Thrift:

Source: MLIST
Type: Mailing List, Vendor Advisory
[thrift-dev] 20191106 [jira] [Updated] (THRIFT-4997) Nexus Scan Reporting Security issue CVE-2019-0205 for Thrift:

Source: MLIST
Type: Mailing List, Vendor Advisory
[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15415) CVE-2019-0205 (Apache Thrift all versions up to and including 0.12.0 vulnerable) of severity 7.5

Source: MLIST
Type: Mailing List, Vendor Advisory
[thrift-dev] 20191106 [jira] [Comment Edited] (THRIFT-4997) Nexus Scan Reporting Security issue CVE-2019-0205 for Thrift:

Source: MLIST
Type: Mailing List, Vendor Advisory
[hive-issues] 20210915 [jira] [Resolved] (HIVE-22738) CVE-2019-0205

Source: MLIST
Type: Mailing List, Vendor Advisory
[thrift-dev] 20200124 [jira] [Commented] (THRIFT-5075) Backport fixes for CVE-2019-0205 to (Java) 0.9.3-1 version

Source: MLIST
Type: Mailing List, Vendor Advisory
[thrift-dev] 20200127 [jira] [Commented] (THRIFT-5075) Backport fixes for CVE-2019-0205 to (Java) 0.9.3-1 version

Source: MLIST
Type: Mailing List, Vendor Advisory
[thrift-dev] 20200208 [jira] [Comment Edited] (THRIFT-5075) Backport fixes for CVE-2019-0205 to (Java) 0.9.3-1 version

Source: MLIST
Type: Mailing List, Vendor Advisory
[thrift-dev] 20200125 [jira] [Comment Edited] (THRIFT-5075) Backport fixes for CVE-2019-0205 to (Java) 0.9.3-1 version

Source: MLIST
Type: Mailing List, Vendor Advisory
[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9248: Upgrade Thrift dependency in broker to solve CVE-2019-0210 and CVE-2019-0205

Source: MLIST
Type: Mailing List, Vendor Advisory
[pulsar-commits] 20210607 [GitHub] [pulsar] lhotari commented on issue #9248: Upgrade Thrift dependency in broker to solve CVE-2019-0210, CVE-2019-0205 and CVE-2020-13949

Source: MLIST
Type: Mailing List, Vendor Advisory
[cassandra-commits] 20210415 [jira] [Updated] (CASSANDRA-15420) CVE-2019-0205(Apache Thrift all versions up to and including 0.12.0) on version Cassendra 3.11.4

Source: MLIST
Type: Mailing List, Vendor Advisory
[thrift-dev] 20200125 [jira] [Commented] (THRIFT-5075) Backport fixes for CVE-2019-0205 to (Java) 0.9.3-1 version

Source: MLIST
Type: Mailing List, Vendor Advisory
[cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6

Source: MLIST
Type: Mailing List, Vendor Advisory
[hive-dev] 20200116 [jira] [Created] (HIVE-22738) CVE-2019-0205

Source: MLIST
Type: Mailing List, Vendor Advisory
[cassandra-user] 20211005 Re: Vulnerability in libthrift library (CVE-2019-0205)

Source: MLIST
Type: Mailing List, Vendor Advisory
[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9248: Upgrade Thrift dependency in broker to solve CVE-2019-0210 and CVE-2019-0205

Source: MLIST
Type: Mailing List, Vendor Advisory
[thrift-dev] 20210204 [jira] [Updated] (THRIFT-5075) Backport fixes for CVE-2019-0205 to (Java) 0.9.3-1 version

Source: MLIST
Type: Mailing List, Patch, Vendor Advisory
[thrift-commits] 20200208 [thrift] 01/01: THRIFT-5075: Backport changes for CVE-2019-0205 to 0.9.3.1 branch

Source: MLIST
Type: Mailing List, Vendor Advisory
[cassandra-commits] 20210415 [jira] [Commented] (CASSANDRA-15420) CVE-2019-0205(Apache Thrift all versions up to and including 0.12.0) on version Cassendra 3.11.4

Source: MLIST
Type: Mailing List, Vendor Advisory
[hive-issues] 20200116 [jira] [Updated] (HIVE-22738) CVE-2019-0205

Source: MLIST
Type: Mailing List, Vendor Advisory
[cassandra-user] 20211004 Vulnerability in libthrift library (CVE-2019-0205)

Source: MLIST
Type: Mailing List, Vendor Advisory
[cassandra-user] 20211004 Re: Vulnerability in libthrift library (CVE-2019-0205)

Source: MLIST
Type: Mailing List, Vendor Advisory
[cassandra-commits] 20210924 [jira] [Updated] (CASSANDRA-15420) CVE-2019-0205(Apache Thrift all versions up to and including 0.12.0) on version Cassendra 3.11.4

Source: MLIST
Type: Mailing List, Vendor Advisory
[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9248: Upgrade Thrift dependency in broker to solve CVE-2019-0210 and CVE-2019-0205

Source: MLIST
Type: Mailing List, Vendor Advisory
[cassandra-commits] 20210924 [jira] [Assigned] (CASSANDRA-15420) CVE-2019-0205(Apache Thrift all versions up to and including 0.12.0) on version Cassendra 3.11.4

Source: MLIST
Type: Mailing List, Vendor Advisory
[thrift-dev] 20200208 [jira] [Commented] (THRIFT-5075) Backport fixes for CVE-2019-0205 to (Java) 0.9.3-1 version

Source: MLIST
Type: Mailing List, Vendor Advisory
[thrift-notifications] 20200813 [GitHub] [thrift] kevinsookocheff-wf commented on pull request #1993: THRIFT-5075: Backport changes for CVE-2019-0205 to 0.9.3.1 branch

Source: MLIST
Type: Mailing List, Vendor Advisory
[thrift-dev] 20210204 [jira] [Updated] (THRIFT-4997) Nexus Scan Reporting Security issue CVE-2019-0205 for Thrift:

Source: MLIST
Type: Mailing List, Vendor Advisory
[thrift-dev] 20200124 [jira] [Created] (THRIFT-5075) Backport fixes for CVE-2019-0205 to (Java) 0.9.3-1 version

Source: CCN
Type: oss-sec Mailing List, Wed, 16 Oct 2019 22:46:15 +0000
CVE-2019-0205: Apache Thrift: potential DoS when processing untrusted Thrift payload

Source: GENTOO
Type: Third Party Advisory
GLSA-202107-32

Source: CCN
Type: IBM Security Bulletin 1120701 (Watson Machine Learning CE)
Multiple vulenerabilities CVE-2019-0205, CVE-2019-0210 in thrift package

Source: CCN
Type: IBM Security Bulletin 6252853 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6324855 (Resilient OnPrem)
IBM Resilient SOAR is Using Components with Known Vulnerabilities - Apache Thrift (CVE-2019-0205)

Source: CCN
Type: IBM Security Bulletin 6572497 (Security Guardium)
IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift

Source: CCN
Type: IBM Security Bulletin 6830243 (QRadar User Behavior Analytics)
Multiple vulnerabilities in Spark affecting IBM QRadar User Behavior Analytics

Source: CCN
Type: IBM Security Bulletin 6848225 (Netcool Operations Insight)
Netcool Operations Insight v1.6.7 contains fixes for multiple security vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6965298 (Integration Bus)
IBM Integration Bus is vulnerable to a remote attack & denial of service due to Apache Thrift & Apache Commons Codec (CVE-2018-1320, CVE-2019-0205, IBM X-Force ID: 177835)

Source: CCN
Type: IBM Security Bulletin 6983567 (Watson Discovery)
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Thrift

Source: CCN
Type: IBM Security Bulletin 6986577 (Cloud Pak for Watson AIOps)
Multiple Vulnerabilities in CloudPak for Watson AIOPs

Source: CCN
Type: IBM Security Bulletin 7003479 (Application Performance Management)
Vulnerability of Apache Thrift (libthrift-0.12.0.jar ) have affected APM WebSphere Application Server Agent and APM SAP NetWeaver Agent

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-0205

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:thrift:*:*:*:*:*:*:*:* (Version <= 0.12.0)

    • Configuration 2:
  • cpe:/a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server:8.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apache:thrift:0.9.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:thrift:0.9.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:thrift:0.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:thrift:0.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:thrift:0.11.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:thrift:0.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:thrift:0.12.0:*:*:*:*:-:*:*
  • AND
  • cpe:/a:ibm:cognos_analytics:11.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:10.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:10.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:application_performance_management:8.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.4:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    apache thrift *
    redhat jboss enterprise application platform 7.2.0
    redhat enterprise linux server 6.0
    redhat enterprise linux server 7.0
    redhat enterprise linux server 8.0
    oracle communications cloud native core network slice selection function 1.2.1
    apache thrift 0.9.2
    apache thrift 0.9.3
    apache thrift 0.5.0
    apache thrift 0.6.0
    apache thrift 0.11.0
    apache thrift 0.6.1
    apache thrift 0.12.0
    ibm cognos analytics 11.0
    ibm security guardium 10.5
    ibm integration bus 10.0.0.0
    ibm security guardium 10.6
    ibm application performance management 8.1.4
    ibm cognos analytics 11.1
    ibm security guardium 11.0
    ibm security guardium 11.1
    ibm security guardium 11.2
    ibm security guardium 11.3
    ibm security guardium 11.4