CVE-2018-1320

Summary

CVE	CVE-2018-1320
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-01-07 17:29:00 UTC
Updated	2023-11-07 02:55:00 UTC
Description	Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.

Risk And Classification

Problem Types: CWE-295

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Thrift	All	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Application	F5	Traffix Sdc	All	All	All	All
Application	F5	Traffix Signaling Delivery Controller	All	All	All	All
Application	Oracle	Global Lifecycle Management Opatch	All	All	All	All
Application	Oracle	Nosql Database	All	All	All	All

References

Reference	Source	Link	Tags
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
support.f5.com/csp/article/K36361684	CONFIRM	support.f5.com	Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MISC	lists.apache.org	Issue Tracking, Mailing List, Patch, Vendor Advisory
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Vendor Advisory
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[cassandra-commits] 20210924 [jira] [Updated] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)		lists.apache.org
Pony Mail!		lists.apache.org
[cassandra-commits] 20210415 [jira] [Updated] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
[cassandra-commits] 20210415 [jira] [Commented] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)		lists.apache.org
[SECURITY] [DLA 1662-1] libthrift-java security update	MLIST	lists.debian.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
oss-security - [CVE-2018-1320] Apache Storm vulnerable Thrift version	MLIST	www.openwall.com
Pony Mail!	MLIST	lists.apache.org
Apache Thrift CVE-2018-1320 Security Bypass Vulnerability	BID	www.securityfocus.com	Third Party Advisory, VDB Entry
Red Hat Customer Portal	REDHAT	access.redhat.com
Pony Mail!	MLIST	lists.apache.org
[cassandra-commits] 20210323 [jira] [Updated] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)		lists.apache.org
Oracle Critical Patch Update - October 2019	MISC	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - April 2020	N/A	www.oracle.com
[cassandra-commits] 20210415 [jira] [Comment Edited] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

980657 Java (maven) Security Update for org.apache.thrift:libthrift (GHSA-wjxj-f8rg-99wx)