Lucene search

RubySecRUBY:RED-ARROW-2019-12408

HistoryMay 23, 2022 - 9:00 p.m.

Missing Initialization of Resource in Apache Arrow

2022-05-2321:00:00

RubySec

lists.apache.org

apache arrow

c++

uninitialized memory

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

53.5%

JSON

It was discovered that the C++ implementation (which underlies the R,
Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized
memory bug when building arrays with null values in some cases. This can lead to
uninitialized memory being unintentionally shared if Arrow Arrays are transmitted
over the wire (for instance with Flight) or persisted in the streaming IPC and file
formats.

Affected configurations

Vulners

Node

rubyred-arrowRange≤0.15.1

VendorProductVersionCPE
rubyred-arrow*cpe:2.3:a:ruby:red-arrow:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	red-arrow	*	cpe:2.3:a:ruby:red-arrow::::::::

References

lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

53.5%

JSON

Related for RUBY:RED-ARROW-2019-12408