<p>Upgrade <code>org.apache.thrift:libthrift</code> to version 0.9.3 or higher.</p>

Insufficient Validation Affecting org.apache.thrift:libthrift package, versions [,0.9.3)

Snyk CVSS

Attack Complexity High

Availability High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGAPACHETHRIFT-564358
published 1 Apr 2020
disclosed 30 Mar 2015
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 30 Mar 2015

CWE-20 Open this link in a new tab

How to fix?

Upgrade org.apache.thrift:libthrift to version 0.9.3 or higher.

Overview

org.apache.thrift:libthrift is a lightweight, language-independent software stack with an associated code generation mechanism for point-to-point RPC.

Affected versions of this package are vulnerable to Insufficient Validation. Multiple SSL vulnerabilities exists within thrift which includes:

It is possible to abuse to embedded OpenSSL library within thrift to conduct denial of service attacks by abusing TSSLSocket during close()
The SSL library used by default allows for insecure SSLv3 negotiation

Insufficient Validation Affecting org.apache.thrift:libthrift package, versions [,0.9.3)

Snyk CVSS

Introduced: 30 Mar 2015

How to fix?

Overview

References