Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-1320

Опубликовано: 05 мар. 2018
Источник: redhat
CVSS3: 6.5
EPSS Низкий

Описание

Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.

Отчет

OpenDaylight: OpenDaylight includes libthrift, however does not use the vulnerable functionality. OpenDaylight should be considered not affected by this flaw.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat JBoss Data Virtualization 6libthriftOut of support scope
Red Hat JBoss Enterprise Application Platform 7libthriftNot affected
Red Hat JBoss Enterprise Application Platform Continuous DeliverylibthriftNot affected
Red Hat JBoss Fuse Service Works 6thriftOut of support scope
Red Hat JBoss Operations Network 3libthriftNot affected
Red Hat OpenShift Application RuntimeslibthriftOut of support scope
Red Hat OpenShift Container Platform 4thriftNot affected
Red Hat OpenShift Enterprise 3thriftNot affected
Red Hat OpenStack Platform 10 (Newton)libthriftWill not fix
Red Hat OpenStack Platform 13 (Queens)opendaylightWill not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-287
https://bugzilla.redhat.com/show_bug.cgi?id=1667204thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class

EPSS

Процентиль: 30%
0.0011
Низкий

6.5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-1320

CVSS3: 7.5
ubuntu
около 7 лет назад

Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.

nvd логотип

CVE-2018-1320

CVSS3: 7.5
nvd
около 7 лет назад

Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.

debian логотип

CVE-2018-1320

CVSS3: 7.5
debian
около 7 лет назад

Apache Thrift Java client library versions 0.5.0 through 0.11.0 can by ...

github логотип

GHSA-wjxj-f8rg-99wx

CVSS3: 7.5
github
около 7 лет назад

Improper Input Validation in Apache Thrift

fstec логотип

BDU:2019-04255

CVSS3: 7.5
fstec
около 7 лет назад

Уязвимость класса org.apache.thrift.transport.TSaslTransport языка описания интерфейсов Apache Thrift, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 30%
0.0011
Низкий

6.5 Medium

CVSS3