Описание
Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| libthrift-java | fixed | 0.9.1-2.1 | package | |
| libthrift-java | fixed | 0.9.1-2.1~deb9u1 | stretch | package |
Примечания
https://issues.apache.org/jira/browse/THRIFT-4506
https://github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e
Связанные уязвимости
Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
Уязвимость класса org.apache.thrift.transport.TSaslTransport языка описания интерфейсов Apache Thrift, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации