Skip to main content

Thrift CVE-2019-0210

HIGH
Out-of-bounds Read (CWE-125)
2019-10-29 security@apache.org
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Oct 29, 2019 - 19:15 nvd
HIGH 7.5

DescriptionNVD

In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.

AnalysisAI

In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Technical ContextAI

This vulnerability is classified as Out-of-bounds Read (CWE-125), which allows attackers to read data from memory outside the intended buffer boundaries. In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data. Affected products include: Apache Thrift, Redhat Jboss Enterprise Application Platform, Oracle Communications Cloud Native Core Network Slice Selection Function.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate array indices and buffer lengths. Use memory-safe languages. Enable AddressSanitizer during testing.

More in Thrift

View all
CVE-2021-24028 CRITICAL
9.8 Apr 14

An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code e

CVE-2026-41604 HIGH
8.2 Apr 28

Out-of-bounds read vulnerability in Apache Thrift Swift implementation allows remote unauthenticated attackers to trigge

CVE-2026-41602 HIGH
7.5 Apr 28

Integer overflow in Apache Thrift's Go TFramedTransport implementation allows remote unauthenticated attackers to crash

CVE-2019-0205 HIGH
7.5 Oct 29

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with

CVE-2019-3565 HIGH
7.5 May 06

Legacy C++ Facebook Thrift servers (using cpp instead of cpp2) would not error upon receiving messages with containers o

CVE-2019-3564 HIGH
7.5 May 06

Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated high

CVE-2019-3559 HIGH
7.5 May 06

Java Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated hi

CVE-2019-3558 HIGH
7.5 May 06

Python Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated

CVE-2019-3552 HIGH
7.5 May 06

C++ Facebook Thrift servers (using cpp2) would not error upon receiving messages with containers of fields of unknown ty

CVE-2026-41603 HIGH
7.4 Apr 28

Apache Thrift Java TSSLTransportFactory fails to verify server hostnames in TLS connections, enabling man-in-the-middle

CVE-2026-41605 HIGH
7.3 Apr 28

Integer overflow in Apache Thrift Swift Compact Protocol implementation versions prior to 0.23.0 enables remote unauthen

CVE-2026-43869 HIGH
7.3 May 05

TLS hostname verification is disabled in Apache Thrift's Java TSSLTransportFactory implementation (versions prior to 0.2

Share

CVE-2019-0210 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy