Vulnerability Description
The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
CVSS Score
8.8
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Thrift | <= 0.9.3 |
Related Weaknesses (CWE)
References
- http://mail-archives.apache.org/mod_mbox/thrift-user/201701.mbox/raw/%3CCANyrgvcMailing ListVendor Advisory
- http://www.securityfocus.com/bid/103025Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2018:2669
- https://access.redhat.com/errata/RHSA-2019:3140
- https://issues.apache.org/jira/browse/THRIFT-3893Vendor Advisory
- https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac2
- http://mail-archives.apache.org/mod_mbox/thrift-user/201701.mbox/raw/%3CCANyrgvcMailing ListVendor Advisory
- http://www.securityfocus.com/bid/103025Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2018:2669
- https://access.redhat.com/errata/RHSA-2019:3140
- https://issues.apache.org/jira/browse/THRIFT-3893Vendor Advisory
- https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac2
FAQ
What is CVE-2016-5397?
CVE-2016-5397 is a vulnerability with a CVSS score of 8.8 (HIGH). The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache...
How severe is CVE-2016-5397?
CVE-2016-5397 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-5397?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Thrift.