CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
59.2%
Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass
SASL negotiation isComplete validation in the
org.apache.thrift.transport.TSaslTransport class. An assert used to
determine if the SASL handshake had successfully completed could be
disabled in production settings making the validation incomplete.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | libthrift-java | < 0.9.1-2.1~build0.18.04.1 | UNKNOWN |
ubuntu | 18.10 | noarch | libthrift-java | < 0.9.1-2.1~build0.18.10.1 | UNKNOWN |
ubuntu | 16.04 | noarch | libthrift-java | < 0.9.1-2.1~build0.16.04.1 | UNKNOWN |
github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e
issues.apache.org/jira/browse/THRIFT-4506
launchpad.net/bugs/cve/CVE-2018-1320
lists.apache.org/thread.html/da5234b5e78f1c99190407f791dfe1bf6c58de8d30d15974a9669be3@%3Cuser.thrift.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2018-1320
security-tracker.debian.org/tracker/CVE-2018-1320
www.cve.org/CVERecord?id=CVE-2018-1320
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
59.2%