Insufficient Validation Affecting org.apache.thrift:libthrift package, versions [,0.9.3)

Attack Complexity

High
Availability

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-JAVA-ORGAPACHETHRIFT-564358
published

1 Apr 2020
disclosed

30 Mar 2015
credit

Unknown

Report a new vulnerability Found a mistake?

Introduced: 30 Mar 2015

CVE - NOT AVAILABLE CWE-20 Open this link in a new tab

How to fix?

Upgrade org.apache.thrift:libthrift to version 0.9.3 or higher.

Overview

org.apache.thrift:libthrift is a lightweight, language-independent software stack with an associated code generation mechanism for point-to-point RPC.

Affected versions of this package are vulnerable to Insufficient Validation. Multiple SSL vulnerabilities exists within thrift which includes:

It is possible to abuse to embedded OpenSSL library within thrift to conduct denial of service attacks by abusing TSSLSocket during close()
The SSL library used by default allows for insecure SSLv3 negotiation

Insufficient Validation Affecting org.apache.thrift:libthrift package, versions [,0.9.3)

Attack Complexity

Availability

snyk-id

published

disclosed

credit

Introduced: 30 Mar 2015

How to fix?

Overview

References