Vulnerability in Apache Thrift
CVE-2018-1320
Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully c…
Vulnerability class: Improper Certificate Validation
EPSS: 0.082 (94.1th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.
Affected products
- Apache Thrift
- Apache Software Foundation Thrift — versions Apache Thrift 0.5.0 to 0.11.0
- F5 Traffix_signaling_delivery_controller
- Oracle Global_lifecycle_management_opatch
- Oracle Nosql_database
- Debian Debian_linux — versions 8.0
Weakness classification (CWE)
References
- security@apache.org (x_refsource_MISC)
- security@apache.org (VDB Entry, Third Party Advisory, vdb-entry, x_refsource_BID)
- security@apache.org (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
- security@apache.org (mailing-list, x_refsource_MLIST)
- security@apache.org (x_refsource_CONFIRM, Third Party Advisory)
- security@apache.org (mailing-list, x_refsource_MLIST)
- security@apache.org (mailing-list, x_refsource_MLIST)
- security@apache.org (mailing-list, x_refsource_MLIST)
- security@apache.org (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
- security@apache.org (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
Frequently asked questions
- What is CVE-2018-1320?
- CVE-2018-1320 is a high-severity vulnerability in Apache Thrift, classified under Improper Certificate Validation. CVSS score: 7.5/10. Published 2019-01-07.
- How severe is CVE-2018-1320?
- High severity. CVSS v3 base score is 7.5 out of 10.