7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
56.2%
Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass
SASL negotiation isComplete validation in the
org.apache.thrift.transport.TSaslTransport class. An assert used to
determine if the SASL handshake had successfully completed could be
disabled in production settings making the validation incomplete.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | libthrift-java | < 0.9.1-2.1~build0.18.04.1 | UNKNOWN |
ubuntu | 18.10 | noarch | libthrift-java | < 0.9.1-2.1~build0.18.10.1 | UNKNOWN |
ubuntu | 16.04 | noarch | libthrift-java | < 0.9.1-2.1~build0.16.04.1 | UNKNOWN |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1320
github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e
issues.apache.org/jira/browse/THRIFT-4506
launchpad.net/bugs/cve/CVE-2018-1320
lists.apache.org/thread.html/da5234b5e78f1c99190407f791dfe1bf6c58de8d30d15974a9669be3@%3Cuser.thrift.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2018-1320
security-tracker.debian.org/tracker/CVE-2018-1320
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
56.2%