18 matches found
CVE-2020-13949
CVE-2020-13949 affects Apache Thrift versions 0.9.3 through 0.13.0. The issue: malicious RPC clients can send short messages that trigger extremely large memory allocations, leading to a denial of service. The connected advisories confirm a remote DoS risk in Thrift with impact on servers handlin...
CVE-2019-0205
CVE-2019-0205 affects Apache Thrift up to version 0.12.0, where a server or client may enter an endless loop when fed specific input data. The issue was partially fixed in 0.11.0, and depending on the language binding, only certain bindings are impacted. Exploitation details are not provided in t...
CVE-2018-11798
The CVE-2018-11798 entry concerns Apache Thrift Node.js static web server (versions 0.9.2–0.11.0) where a remote attacker can access files outside the webroot docroot. Connected sources also reference CVE-2018-1320 in the Thrift TSaslTransport SASL handshake validation issue. NVD metrics cite a b...
CVE-2018-1320
CVE-2018-1320 affects Apache Thrift: Java client library versions 0.5.0–0.11.0. The issue stems from an assert in TSaslTransport.isComplete that validates SASL handshakes; disabling this check can leave SASL negotiation validation incomplete, enabling a security bypass. Multiple connected sources...
CVE-2019-0210
Apache Thrift in versions 0.9.3–0.12.0 has an out-of-bounds read in a Go server using TJSONProtocol/TSimpleJSONProtocol that may panic on invalid input data (CVE-2019-0210). Mitigation via upgrade to newer Thrift versions; Gentoo GLSA 202107-32 recommends >= thrift-0.14.1. Other advisories cor...
CVE-2015-3254
Apache Thrift client libraries before 0.9.3 are affected by CVE-2015-3254, which could allow a remote authenticated user to trigger a denial of service via infinite recursion in the skip function. Impact is a partial denial of service (availability affected) with network access and no confidentia...
CVE-2016-5397
Concisely: CVE-2016-5397 affects the Apache Thrift Go client library. The vulnerability arises from code-generation time where an external formatting tool could allow a remote attacker to execute arbitrary commands, as described for Apache Thrift 0.9.3 and older. The issue is exploitable via Go c...
CVE-2026-41602
CVE-2026-41602: Integer Overflow or Wraparound in Apache Thrift Go TFramedTransport (uint32 overflow) affecting Thrift before 0.23.0. Affected component: Apache Thrift’s Go TFramedTransport implementation. Root cause: uint32 overflow/wraparound in framing transport handling. Impact: potential ove...
CVE-2026-43868
CVE-2026-43868 concerns a memory allocation with an excessive size value in Apache Thrift. Affected: Thrift versions prior to 0.23.0 (per initial description). Exploitation could cause high memory usage and denial of service; no in-wild exploit details provided. Remediation: upgrade to Apache Thr...
CVE-2026-41606
CVE-2026-41606 is an Uncontrolled Recursion vulnerability in Apache Thrift prior to 0.23.0. The issue affects Apache Thrift before 0.23.0 and is addressed by upgrading to 0.23.0 (as noted in multiple sources, including the openSUSE advisory for libthrift-0_23_0-0.23.0-1.1 on GA media). The CVSS b...
CVE-2026-43869
The CVE-2026-43869 issue is an Improper Validation of Certificate with Host Mismatch in Apache Thrift, arising from hostname verification in TSSLTransportFactory.java. Affected software: Apache Thrift before 0.23.0. Consequence: potential trust/bypass risks due to invalid host certificate checks....
CVE-2026-41636
CVE-2026-41636 describes an Uncontrolled Recursion vulnerability in the Apache Thrift Node.js bindings. Affected software is Apache Thrift versions prior to 0.23.0. The issue is mitigated by upgrading to Thrift 0.23.0, which fixes the problem. The available documents do not specify exact affected...
CVE-2026-43870
Apache Thrift (before 0.23.0) contains multiple issues: Origin Validation Error, Path Traversal (improper limitation of a pathname to a restricted directory), HTTP header CRLF-related splitting, and uncontrolled resource consumption. Upgrade to 0.23.0 to fix. Exploitation status is not provided i...
CVE-2025-48431
The CVE-2025-48431 affects Apache Thrift c_glib bindings (c_glib language bindings) prior to 0.23.0. The issue is a Mismatched Memory Management Routines vulnerability that can cause a crash in a c_glib-based Thrift server via specially crafted requests, producing a fatal "+free(): invalid pointe...
CVE-2026-41607
CVE-2026-41607 : The connected documents confirm an out-of-bounds read vulnerability in Apache Thrift, affecting Thrift versions before 0.23.0. The mitigation is to upgrade to 0.23.0 or later, as specified in multiple sources. The vulnerability affects the Thrift implementation and is described c...
CVE-2026-41604
The CVE-2026-41604 entry concerns an Out-of-bounds Read vulnerability in Apache Thrift, affecting versions prior to 0.23.0. The vulnerability is characterized by its impact on confidentiality and availability (CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) with a HIGH base score (8.2). Affected ...
CVE-2026-41603
CVE-2026-41603 : This vulnerability is in Apache Thrift, specifically an improper validation of a certificate when the host name mismatches during TLS. It affects Apache Thrift versions before 0.23.0. The recommended fix is to upgrade to version 0.23.0, which resolves the issue. The available sou...
CVE-2026-41605
CVE-2026-41605 is an Integer Overflow or Wraparound vulnerability in Apache Thrift affecting versions before 0.23.0 . Public descriptions consistently recommend upgrading to 0.23.0 to fix the issue. Connected sources confirm the vendor/product and the upgrade path; no exploit details or active ve...