Vulnerabilities > Apache > Thrift
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-02-12 | CVE-2020-13949 | Resource Exhaustion vulnerability in multiple products In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. | 7.5 |
| 2019-10-29 | CVE-2019-0210 | Out-of-bounds Read vulnerability in multiple products In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data. | 7.5 |
| 2019-10-29 | CVE-2019-0205 | Infinite Loop vulnerability in multiple products In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. | 7.5 |
| 2019-01-07 | CVE-2018-1320 | Improper Certificate Validation vulnerability in multiple products Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. | 7.5 |
| 2019-01-07 | CVE-2018-11798 | File and Directory Information Exposure vulnerability in Apache Thrift The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path. | 6.5 |
| 2018-02-12 | CVE-2016-5397 | Command Injection vulnerability in Apache Thrift The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. | 8.8 |
| 2017-06-16 | CVE-2015-3254 | Improper Input Validation vulnerability in Apache Thrift The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function. | 6.5 |