| Vulnerability Name: | CVE-2019-0210 (CCN-169459) |
| Assigned: | 2018-11-14 |
| Published: | 2019-10-17 |
| Updated: | 2022-10-29 |
| Summary: | In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.
|
| CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None | | Scope: | Scope (S): Unchanged
| | Impact Metrics: | Confidentiality (C): None
Integrity (I): None
Availibility (A): High |
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None | | Scope: | Scope (S): Unchanged
| | Impact Metrics: | Confidentiality (C): None
Integrity (I): None
Availibility (A): High |
|
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None | | Impact Metrics: | Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial |
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
| | Impact Metrics: | Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete |
|
| Vulnerability Type: | CWE-125
|
| Vulnerability Consequences: | Denial of Service |
| References: | Source: MITRE
Type: CNA
CVE-2019-0210
Source: CONFIRM
Type: Mailing List, Vendor Advisory
http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3C277A46CA87494176B1BBCF5D72624A2A%40HAGGIS%3E
Source: CCN
Type: Apache Web site
Thrift
Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0804
Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0805
Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0806
Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0811
Source: XF
Type: UNKNOWN
apache-thrift-cve20190210-dos(169459)
Source: MLIST
Type: Mailing List, Vendor Advisory
[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9248: Upgrade Thrift dependency in broker to solve CVE-2019-0210 and CVE-2019-0205
Source: MLIST
Type: Mailing List, Vendor Advisory
[pulsar-commits] 20210607 [GitHub] [pulsar] lhotari commented on issue #9248: Upgrade Thrift dependency in broker to solve CVE-2019-0210, CVE-2019-0205 and CVE-2020-13949
Source: MLIST
Type: Mailing List, Vendor Advisory
[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9248: Upgrade Thrift dependency in broker to solve CVE-2019-0210 and CVE-2019-0205
Source: MLIST
Type: Mailing List, Vendor Advisory
[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9248: Upgrade Thrift dependency in broker to solve CVE-2019-0210 and CVE-2019-0205
Source: CCN
Type: oss-sec Mailing List, Thu, 17 Oct 2019 00:46:17 +0200
CVE-2019-0210: Apache Thrift: out-of-bounds read vulnerability
Source: GENTOO
Type: Third Party Advisory
GLSA-202107-32
Source: CCN
Type: IBM Security Bulletin 1120701 (Watson Machine Learning CE)
Multiple vulenerabilities CVE-2019-0205, CVE-2019-0210 in thrift package
Source: CCN
Type: IBM Security Bulletin 6252853 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities
Source: CCN
Type: IBM Security Bulletin 6572497 (Security Guardium)
IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift
Source: CCN
Type: IBM Security Bulletin 6983567 (Watson Discovery)
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Thrift
Source: N/A
Type: Patch, Third Party Advisory
N/A
Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-0210
|
| Vulnerable Configuration: | Configuration 1:
cpe:/a:apache:thrift:*:*:*:*:*:*:*:* (Version >= 0.9.3 and <= 0.12.0)
Configuration 2:
cpe:/a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*AND cpe:/o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*OR cpe:/o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*OR cpe:/o:redhat:enterprise_linux_server:8.0:*:*:*:*:*:*:*
Configuration 3:
cpe:/a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:*:*:*:*:*:*:*
Configuration CCN 1:
cpe:/a:apache:thrift:0.9.2:*:*:*:*:*:*:*OR cpe:/a:apache:thrift:0.9.3:*:*:*:*:*:*:*OR cpe:/a:apache:thrift:0.5.0:*:*:*:*:*:*:*OR cpe:/a:apache:thrift:0.6.0:*:*:*:*:*:*:*OR cpe:/a:apache:thrift:0.11.0:*:*:*:*:*:*:*OR cpe:/a:apache:thrift:0.6.1:*:*:*:*:*:*:*OR cpe:/a:apache:thrift:0.12.0:*:*:*:*:-:*:*AND cpe:/a:ibm:cognos_analytics:11.0:*:*:*:*:*:*:*OR cpe:/a:ibm:security_guardium:10.5:*:*:*:*:*:*:*OR cpe:/a:ibm:security_guardium:10.6:*:*:*:*:*:*:*OR cpe:/a:ibm:cognos_analytics:11.1:*:*:*:*:*:*:*OR cpe:/a:ibm:security_guardium:11.0:*:*:*:*:*:*:*OR cpe:/a:ibm:security_guardium:11.1:*:*:*:*:*:*:*OR cpe:/a:ibm:security_guardium:11.2:*:*:*:*:*:*:*OR cpe:/a:ibm:security_guardium:11.3:*:*:*:*:*:*:*OR cpe:/a:ibm:security_guardium:11.4:*:*:*:*:*:*:*
 Denotes that component is vulnerable |
| BACK |
apache thrift *
redhat jboss enterprise application platform 7.2.0
redhat enterprise linux server 7.0
redhat enterprise linux server 6.0
redhat enterprise linux server 8.0
oracle communications cloud native core network slice selection function 1.2.1
apache thrift 0.9.2
apache thrift 0.9.3
apache thrift 0.5.0
apache thrift 0.6.0
apache thrift 0.11.0
apache thrift 0.6.1
apache thrift 0.12.0
ibm cognos analytics 11.0
ibm security guardium 10.5
ibm security guardium 10.6
ibm cognos analytics 11.1
ibm security guardium 11.0
ibm security guardium 11.1
ibm security guardium 11.2
ibm security guardium 11.3
ibm security guardium 11.4