Lucene search
K
ApacheThrift

18 matches found

CVE
CVE
added 2021/02/12 7:39 p.m.603 views

CVE-2020-13949

CVE-2020-13949 affects Apache Thrift versions 0.9.3 through 0.13.0. The issue: malicious RPC clients can send short messages that trigger extremely large memory allocations, leading to a denial of service. The connected advisories confirm a remote DoS risk in Thrift with impact on servers handlin...

7.5CVSS7.1AI score0.06779EPSS
CVE
CVE
added 2019/10/28 10:32 p.m.427 views

CVE-2019-0205

CVE-2019-0205 affects Apache Thrift up to version 0.12.0, where a server or client may enter an endless loop when fed specific input data. The issue was partially fixed in 0.11.0, and depending on the language binding, only certain bindings are impacted. Exploitation details are not provided in t...

7.8CVSS7.3AI score0.09082EPSS
CVE
CVE
added 2019/01/07 6:0 p.m.393 views

CVE-2018-11798

The CVE-2018-11798 entry concerns Apache Thrift Node.js static web server (versions 0.9.2–0.11.0) where a remote attacker can access files outside the webroot docroot. Connected sources also reference CVE-2018-1320 in the Thrift TSaslTransport SASL handshake validation issue. NVD metrics cite a b...

6.5CVSS6.6AI score0.04875EPSS
CVE
CVE
added 2019/01/07 6:0 p.m.369 views

CVE-2018-1320

CVE-2018-1320 affects Apache Thrift: Java client library versions 0.5.0–0.11.0. The issue stems from an assert in TSaslTransport.isComplete that validates SASL handshakes; disabling this check can leave SASL negotiation validation incomplete, enabling a security bypass. Multiple connected sources...

7.5CVSS7.3AI score0.08188EPSS
CVE
CVE
added 2019/10/28 10:22 p.m.173 views

CVE-2019-0210

Apache Thrift in versions 0.9.3–0.12.0 has an out-of-bounds read in a Go server using TJSONProtocol/TSimpleJSONProtocol that may panic on invalid input data (CVE-2019-0210). Mitigation via upgrade to newer Thrift versions; Gentoo GLSA 202107-32 recommends >= thrift-0.14.1. Other advisories cor...

7.5CVSS7.3AI score0.06793EPSS
CVE
CVE
added 2017/06/16 10:0 p.m.73 views

CVE-2015-3254

Apache Thrift client libraries before 0.9.3 are affected by CVE-2015-3254, which could allow a remote authenticated user to trigger a denial of service via infinite recursion in the skip function. Impact is a partial denial of service (availability affected) with network access and no confidentia...

6.5CVSS6AI score0.05335EPSS
CVE
CVE
added 2018/02/12 5:0 p.m.69 views

CVE-2016-5397

Concisely: CVE-2016-5397 affects the Apache Thrift Go client library. The vulnerability arises from code-generation time where an external formatting tool could allow a remote attacker to execute arbitrary commands, as described for Apache Thrift 0.9.3 and older. The issue is exploitable via Go c...

9CVSS8.8AI score0.07061EPSS
CVE
CVE
added 2026/04/28 9:19 a.m.47 views

CVE-2026-41602

CVE-2026-41602: Integer Overflow or Wraparound in Apache Thrift Go TFramedTransport (uint32 overflow) affecting Thrift before 0.23.0. Affected component: Apache Thrift’s Go TFramedTransport implementation. Root cause: uint32 overflow/wraparound in framing transport handling. Impact: potential ove...

7.5CVSS5.2AI score0.01163EPSS
CVE
CVE
added 2026/05/05 7:49 a.m.30 views

CVE-2026-43868

CVE-2026-43868 concerns a memory allocation with an excessive size value in Apache Thrift. Affected: Thrift versions prior to 0.23.0 (per initial description). Exploitation could cause high memory usage and denial of service; no in-wild exploit details provided. Remediation: upgrade to Apache Thr...

7.5CVSS6.7AI score0.00665EPSS
CVE
CVE
added 2026/04/28 9:21 a.m.26 views

CVE-2026-41606

CVE-2026-41606 is an Uncontrolled Recursion vulnerability in Apache Thrift prior to 0.23.0. The issue affects Apache Thrift before 0.23.0 and is addressed by upgrading to 0.23.0 (as noted in multiple sources, including the openSUSE advisory for libthrift-0_23_0-0.23.0-1.1 on GA media). The CVSS b...

7.5CVSS5.2AI score0.01144EPSS
CVE
CVE
added 2026/05/05 7:25 a.m.26 views

CVE-2026-43869

The CVE-2026-43869 issue is an Improper Validation of Certificate with Host Mismatch in Apache Thrift, arising from hostname verification in TSSLTransportFactory.java. Affected software: Apache Thrift before 0.23.0. Consequence: potential trust/bypass risks due to invalid host certificate checks....

7.3CVSS5.8AI score0.00632EPSS
CVE
CVE
added 2026/04/28 9:22 a.m.24 views

CVE-2026-41636

CVE-2026-41636 describes an Uncontrolled Recursion vulnerability in the Apache Thrift Node.js bindings. Affected software is Apache Thrift versions prior to 0.23.0. The issue is mitigated by upgrading to Thrift 0.23.0, which fixes the problem. The available documents do not specify exact affected...

8.7CVSS5.2AI score0.00469EPSS
CVE
CVE
added 2026/05/05 7:45 a.m.20 views

CVE-2026-43870

Apache Thrift (before 0.23.0) contains multiple issues: Origin Validation Error, Path Traversal (improper limitation of a pathname to a restricted directory), HTTP header CRLF-related splitting, and uncontrolled resource consumption. Upgrade to 0.23.0 to fix. Exploitation status is not provided i...

7.3CVSS5.8AI score0.00394EPSS
CVE
CVE
added 2026/04/28 9:11 a.m.19 views

CVE-2025-48431

The CVE-2025-48431 affects Apache Thrift c_glib bindings (c_glib language bindings) prior to 0.23.0. The issue is a Mismatched Memory Management Routines vulnerability that can cause a crash in a c_glib-based Thrift server via specially crafted requests, producing a fatal "+free(): invalid pointe...

7.5CVSS5.3AI score0.01079EPSS
CVE
CVE
added 2026/04/28 9:21 a.m.18 views

CVE-2026-41607

CVE-2026-41607 : The connected documents confirm an out-of-bounds read vulnerability in Apache Thrift, affecting Thrift versions before 0.23.0. The mitigation is to upgrade to 0.23.0 or later, as specified in multiple sources. The vulnerability affects the Thrift implementation and is described c...

9.1CVSS5.2AI score0.00967EPSS
CVE
CVE
added 2026/04/28 9:20 a.m.17 views

CVE-2026-41604

The CVE-2026-41604 entry concerns an Out-of-bounds Read vulnerability in Apache Thrift, affecting versions prior to 0.23.0. The vulnerability is characterized by its impact on confidentiality and availability (CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) with a HIGH base score (8.2). Affected ...

8.2CVSS5.2AI score0.00954EPSS
CVE
CVE
added 2026/04/28 9:19 a.m.15 views

CVE-2026-41603

CVE-2026-41603 : This vulnerability is in Apache Thrift, specifically an improper validation of a certificate when the host name mismatches during TLS. It affects Apache Thrift versions before 0.23.0. The recommended fix is to upgrade to version 0.23.0, which resolves the issue. The available sou...

8.2CVSS5.2AI score0.00593EPSS
CVE
CVE
added 2026/04/28 9:20 a.m.15 views

CVE-2026-41605

CVE-2026-41605 is an Integer Overflow or Wraparound vulnerability in Apache Thrift affecting versions before 0.23.0 . Public descriptions consistently recommend upgrading to 0.23.0 to fix the issue. Connected sources confirm the vendor/product and the upgrade path; no exploit details or active ve...

7.7CVSS5.2AI score0.00967EPSS