Vulnerability Details : CVE-2016-5397
The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
Products affected by CVE-2016-5397
- cpe:2.3:a:apache:thrift:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-5397
0.54%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-5397
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2016-5397
-
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-5397
-
https://access.redhat.com/errata/RHSA-2019:3140
RHSA-2019:3140 - Security Advisory - Red Hat Customer Portal
-
http://www.securityfocus.com/bid/103025
Apache Thrift CVE-2016-5397 Remote Command Injection VulnerabilityThird Party Advisory;VDB Entry
-
https://issues.apache.org/jira/browse/THRIFT-3893
[THRIFT-3893] Command injection in format_go_output - ASF JIRAVendor Advisory
-
http://mail-archives.apache.org/mod_mbox/thrift-user/201701.mbox/raw/%3CCANyrgvc3W%3DMJ9S-hMZecPNzxkyfgNmuSgVfW2hdDSz5ke%2BOPhQ%40mail.gmail.com%3E
Mailing List;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:2669
RHSA-2018:2669 - Security Advisory - Red Hat Customer Portal
-
https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E
[jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 - Pony Mail
Jump to