Vulnerability Details : CVE-2018-1320
Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
Products affected by CVE-2018-1320
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:thrift:*:*:*:*:*:*:*:*
- Oracle » Global Lifecycle Management OpatchVersions from including (>=) 13.9.4.0.0 and before (<) 13.9.4.2.1cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*
- Oracle » Global Lifecycle Management OpatchVersions from including (>=) 12.2.0.1.0 and before (<) 12.2.0.1.19cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*
- F5 » Traffix Signaling Delivery ControllerVersions from including (>=) 5.0.0 and up to, including, (<=) 5.1.0cpe:2.3:a:f5:traffix_signaling_delivery_controller:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-1320
0.42%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-1320
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2018-1320
-
The product does not validate, or incorrectly validates, a certificate.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-1320
-
https://lists.apache.org/thread.html/187684ac8b94d55256253f5220cb55e8bd568afdf9a8a86e9bbb66c9@%3Cdevnull.infra.apache.org%3E
[GitHub] [thrift] luciferous opened pull request #1771: THRIFT-4506: fix use of assert for correctness in Java SASL negotiation - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r2278846f7ab06ec07a0aa31457235e0ded9191b216cba55f3f315f16@%3Ccommits.cassandra.apache.org%3E
[jira] [Updated] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control) - Pony MailMailing List;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2019:2413
RHSA-2019:2413 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/r261972a3b14cf6f1dcd94b1b265e9ef644a38ccdf0d0238fa0c4d459@%3Ccommits.cassandra.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpuapr2020.html
Oracle Critical Patch Update Advisory - April 2020Third Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Page not found | OraclePatch;Third Party Advisory
-
https://lists.apache.org/thread.html/6b07f6f618155c777191b4fad8ade0f0cf4ed4c12a1a746ce903d816@%3Ccommits.cassandra.apache.org%3E
[jira] [Created] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control) - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/07c3cd5a2953a4b253eee4437b1397b1603d0f886437e19b657d2c54@%3Ccommits.cassandra.apache.org%3E
[jira] [Updated] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control) - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r1015eaadef8314daa9348aa423086a732cfeb998ceb5d42605c9b0b5@%3Ccommits.cassandra.apache.org%3E
[jira] [Updated] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control) - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/3d3b6849fcf4cd1e87703b3dde0d57aabeb9ba0193dc0cf3c97f545d@%3Ccommits.cassandra.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://lists.debian.org/debian-lts-announce/2019/02/msg00008.html
[SECURITY] [DLA 1662-1] libthrift-java security updateMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r09c3dcdccf4b74ad13bda79b354e6b793255ccfe245cca1b8cee23f5@%3Ccommits.cassandra.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r3d71a6dbb063aa61ba81278fe622b20bfe7501bb3821c27695641ac3@%3Ccommits.cassandra.apache.org%3E
[jira] [Commented] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control) - Pony MailMailing List;Vendor Advisory
-
https://support.f5.com/csp/article/K36361684
Third Party Advisory
-
http://www.securityfocus.com/bid/106551
Apache Thrift CVE-2018-1320 Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://lists.apache.org/thread.html/e825ff2f4e129c0ecdb6a19030b53c1ccdf810a8980667628d0c6a80@%3Cannounce.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2019/07/24/3
oss-security - [CVE-2018-1320] Apache Storm vulnerable Thrift versionMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/8be5b16c02567fff61b1284e5df433a4e38617bc7de4804402bf62be@%3Ccommits.cassandra.apache.org%3E
[jira] [Assigned] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control) - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/dbe3a39b48900318ad44494e8721f786901ba4520cd412c7698f534f@%3Cdev.storm.apache.org%3E
[CVE-2018-1320] Apache Storm vulnerable Thrift version - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/dfee89880c84874058c6a584d8128468f8d3c2ac25068ded91073adc@%3Cuser.storm.apache.org%3E
[CVE-2018-1320] Apache Storm vulnerable Thrift version - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/da5234b5e78f1c99190407f791dfe1bf6c58de8d30d15974a9669be3@%3Cuser.thrift.apache.org%3E
[SECURITY] CVE-2018-1320 Announcement - Pony MailIssue Tracking;Mailing List;Patch;Vendor Advisory
-
https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E
[jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - Pony MailMailing List;Vendor Advisory
Jump to