CVE-2018-1320

Published: Jan 7, 2019Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.

Affected (7)

Products: Apache: Thrift · Debian: Debian Linux · F5: Traffix Signaling Delivery Controller · +1 more

Show all products

Apache: Thrift · Debian: Debian Linux · F5: Traffix Signaling Delivery Controller · Oracle: Global Lifecycle Management Opatch, Nosql Database

1 product

1 product

1 product

Traffix Signaling Delivery Controller

Oracle

2 products

Global Lifecycle Management Opatch

Nosql Database

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Thrift	From 0.5.0 to 0.11.0

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
F5 Traffix Signaling Delivery Controller	From 5.0.0 to 5.1.0

Configuration D

4 vulnerable

Vulnerable Software	Affected Versions
Oracle Global Lifecycle Management Opatch	Before 11.2.0.3.23
Oracle Global Lifecycle Management Opatch	From 12.2.0.1.0 to 12.2.0.1.19
Oracle Global Lifecycle Management Opatch	From 13.9.4.0.0 to 13.9.4.2.1
Oracle Nosql Database	Before 19.3.12

Related CWEs

CWE-295

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (50)

http://www.openwall.com/lists/oss-security/2019/07/24/3

Source: security@apache.org

Mailing ListThird Party Advisory

http://www.securityfocus.com/bid/106551

Source: security@apache.org

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2019:2413

Source: security@apache.org

Third Party Advisory

https://lists.apache.org/thread.html/07c3cd5a2953a4b253eee4437b1397b1603d0f886437e19b657d2c54%40%3Ccommits.cassandra.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/187684ac8b94d55256253f5220cb55e8bd568afdf9a8a86e9bbb66c9%40%3Cdevnull.infra.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/3d3b6849fcf4cd1e87703b3dde0d57aabeb9ba0193dc0cf3c97f545d%40%3Ccommits.cassandra.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/6b07f6f618155c777191b4fad8ade0f0cf4ed4c12a1a746ce903d816%40%3Ccommits.cassandra.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/8be5b16c02567fff61b1284e5df433a4e38617bc7de4804402bf62be%40%3Ccommits.cassandra.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/da5234b5e78f1c99190407f791dfe1bf6c58de8d30d15974a9669be3%40%3Cuser.thrift.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/dbe3a39b48900318ad44494e8721f786901ba4520cd412c7698f534f%40%3Cdev.storm.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/dfee89880c84874058c6a584d8128468f8d3c2ac25068ded91073adc%40%3Cuser.storm.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/e825ff2f4e129c0ecdb6a19030b53c1ccdf810a8980667628d0c6a80%40%3Cannounce.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r09c3dcdccf4b74ad13bda79b354e6b793255ccfe245cca1b8cee23f5%40%3Ccommits.cassandra.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r1015eaadef8314daa9348aa423086a732cfeb998ceb5d42605c9b0b5%40%3Ccommits.cassandra.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r2278846f7ab06ec07a0aa31457235e0ded9191b216cba55f3f315f16%40%3Ccommits.cassandra.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r261972a3b14cf6f1dcd94b1b265e9ef644a38ccdf0d0238fa0c4d459%40%3Ccommits.cassandra.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r3d71a6dbb063aa61ba81278fe622b20bfe7501bb3821c27695641ac3%40%3Ccommits.cassandra.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3%40%3Ccommits.cassandra.apache.org%3E

Source: security@apache.org

https://lists.debian.org/debian-lts-announce/2019/02/msg00008.html

Source: security@apache.org

Mailing ListThird Party Advisory

https://support.f5.com/csp/article/K36361684

Source: security@apache.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.html

Source: security@apache.org

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Source: security@apache.org

PatchThird Party Advisory

http://www.openwall.com/lists/oss-security/2019/07/24/3