Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

thrift

Source -

ADPNVD

CNA CVEs -

0

ADP CVEs -

2

CISA CVEs -

0

NVD CVEs -

27
Related CVEsRelated VendorsRelated AssignersReports
29Vulnerabilities found

CVE-2026-43868
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-5.3||MEDIUM
EPSS-0.66% / 47.67%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 07:49
Updated-15 Jul, 2026 | 02:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Thrift: Rust implementation vulnerable to CVE-2020-13949 pattern

Memory Allocation with Excessive Size Value vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-thriftApache ThriftRed Hat Data Grid 8Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1Red Hat AI Inference ServerRed Hat Fuse 7Red Hat build of Apache Camel 4 for Quarkus 3Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat OpenShift AI (RHOAI)Red Hat Enterprise Linux AI (RHEL AI) 3
CWE ID-CWE-1285
Improper Validation of Specified Index, Position, or Offset in Input
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
CVE-2026-43870
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-7.3||HIGH
EPSS-0.39% / 31.64%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 07:45
Updated-06 May, 2026 | 18:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Thrift: Node.js web_server.js multi-vulnerability

Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-thriftApache Thrift
CWE ID-CWE-113
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-346
Origin Validation Error
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-43869
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-7.3||HIGH
EPSS-0.63% / 46.25%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 07:25
Updated-15 Jul, 2026 | 02:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Thrift: TSSLTransportFactory.java hostname verification

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-thriftApache ThriftOpenShift Service Mesh 2Cryostat 4 on RHEL 9Red Hat OpenStack Platform 18.0Red Hat Advanced Cluster Management for Kubernetes 2.15Multicluster Global Hub 1.3.4Multicluster Global Hub 1.6.2Multicluster Global Hub 1.7.1Red Hat Advanced Cluster Management for Kubernetes 2.16Red Hat AI Inference ServerRed Hat Fuse 7Red Hat Advanced Cluster Management for Kubernetes 2.13Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Advanced Cluster Management for Kubernetes 2Multicluster Global Hub 1.4.5Red Hat Advanced Cluster Management for Kubernetes 2.14Multicluster Global HubRed Hat OpenShift distributed tracing 3.10.1Red Hat Data Grid 8Red Hat OpenShift distributed tracing 3Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1Red Hat Enterprise Linux 8Multicluster Global Hub 1.5.4Red Hat build of Apache Camel 4 for Quarkus 3Red Hat OpenShift AI (RHOAI)Red Hat OpenShift Container Platform 4
CWE ID-CWE-295
Improper Certificate Validation
CWE ID-CWE-297
Improper Validation of Certificate with Host Mismatch
CVE-2026-41636
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-8.7||HIGH
EPSS-0.47% / 37.57%
||
7 Day CHG~0.00%
Published-28 Apr, 2026 | 09:22
Updated-28 Apr, 2026 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Thrift: Node.js skip() recursion

Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-thriftApache Thrift
CWE ID-CWE-674
Uncontrolled Recursion
CVE-2026-41607
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-0.93% / 56.63%
||
7 Day CHG-0.04%
Published-28 Apr, 2026 | 09:21
Updated-15 Jul, 2026 | 02:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Thrift: C++ JSON OOB read

Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-thriftApache ThriftOpenShift Service Mesh 2Red Hat OpenShift Container Platform 4Red Hat OpenShift distributed tracing 3Red Hat Advanced Cluster Management for Kubernetes 2.15Multicluster Global Hub 1.3.4Multicluster Global Hub 1.6.2Multicluster Global Hub 1.5.4Red Hat AI Inference ServerRed Hat Enterprise Linux AI (RHEL AI) 3Red Hat OpenShift GitOpsRed Hat OpenShift distributed tracing 3.9.3Red Hat OpenShift AI (RHOAI)Red Hat Advanced Cluster Management for Kubernetes 2.14Multicluster Global Hub 1.4.5
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-41606
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-5.3||MEDIUM
EPSS-1.10% / 62.00%
||
7 Day CHG-0.04%
Published-28 Apr, 2026 | 09:21
Updated-15 Jul, 2026 | 02:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Thrift: c_glib dispatch stack overflow

Uncontrolled Recursion vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-thriftApache ThriftOpenShift Service Mesh 2Red Hat OpenShift Container Platform 4Red Hat OpenShift distributed tracing 3Red Hat Advanced Cluster Management for Kubernetes 2.15Multicluster Global Hub 1.3.4Multicluster Global Hub 1.6.2Multicluster Global Hub 1.5.4Red Hat AI Inference ServerRed Hat Enterprise Linux AI (RHEL AI) 3Red Hat OpenShift GitOpsRed Hat OpenShift distributed tracing 3.9.3Red Hat OpenShift AI (RHOAI)Red Hat Advanced Cluster Management for Kubernetes 2.14Multicluster Global Hub 1.4.5
CWE ID-CWE-606
Unchecked Input for Loop Condition
CWE ID-CWE-674
Uncontrolled Recursion
CVE-2026-41605
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-7.3||HIGH
EPSS-0.93% / 56.62%
||
7 Day CHG-0.04%
Published-28 Apr, 2026 | 09:20
Updated-15 Jul, 2026 | 02:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Thrift: Swift Compact Protocol integer overflow

Integer Overflow or Wraparound vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-thriftApache ThriftOpenShift Service Mesh 2Red Hat OpenShift Container Platform 4Red Hat OpenShift distributed tracing 3Red Hat Advanced Cluster Management for Kubernetes 2.15Multicluster Global Hub 1.3.4Multicluster Global Hub 1.6.2Multicluster Global Hub 1.5.4Red Hat AI Inference ServerRed Hat Enterprise Linux AI (RHEL AI) 3Red Hat OpenShift GitOpsRed Hat OpenShift distributed tracing 3.9.3Red Hat OpenShift AI (RHOAI)Red Hat Advanced Cluster Management for Kubernetes 2.14Multicluster Global Hub 1.4.5
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2026-41604
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-8.2||HIGH
EPSS-0.92% / 56.24%
||
7 Day CHG-0.04%
Published-28 Apr, 2026 | 09:20
Updated-15 Jul, 2026 | 02:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Thrift: Swift Range crash in skip()

Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-thriftApache ThriftOpenShift Service Mesh 2Red Hat OpenShift Container Platform 4Red Hat OpenShift distributed tracing 3Red Hat Advanced Cluster Management for Kubernetes 2.15Multicluster Global Hub 1.3.4Multicluster Global Hub 1.6.2Multicluster Global Hub 1.5.4Red Hat AI Inference ServerRed Hat Enterprise Linux AI (RHEL AI) 3Red Hat OpenShift GitOpsRed Hat OpenShift distributed tracing 3.9.3Red Hat OpenShift AI (RHOAI)Red Hat Advanced Cluster Management for Kubernetes 2.14Multicluster Global Hub 1.4.5
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-41603
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-7.4||HIGH
EPSS-0.57% / 43.43%
||
7 Day CHG-0.02%
Published-28 Apr, 2026 | 09:19
Updated-15 Jul, 2026 | 02:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Thrift: Java TSSLTransportFactory hostname verification

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-thriftApache ThriftOpenShift Service Mesh 2Red Hat OpenShift Container Platform 4Red Hat OpenShift distributed tracing 3Red Hat Advanced Cluster Management for Kubernetes 2.15Multicluster Global Hub 1.3.4Multicluster Global Hub 1.6.2Multicluster Global Hub 1.5.4Red Hat AI Inference ServerRed Hat Enterprise Linux AI (RHEL AI) 3Red Hat OpenShift GitOpsRed Hat OpenShift distributed tracing 3.9.3Red Hat OpenShift AI (RHOAI)Red Hat Advanced Cluster Management for Kubernetes 2.14Multicluster Global Hub 1.4.5
CWE ID-CWE-295
Improper Certificate Validation
CWE ID-CWE-297
Improper Validation of Certificate with Host Mismatch
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-41602
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-1.16% / 63.69%
||
7 Day CHG~0.00%
Published-28 Apr, 2026 | 09:19
Updated-15 Jul, 2026 | 02:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Thrift: Go TFramedTransport uint32 overflow

Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-thriftApache ThriftOpenShift Service Mesh 2Red Hat OpenStack Platform 18.0Red Hat Advanced Cluster Management for Kubernetes 2.15Multicluster Global Hub 1.3.4Multicluster Global Hub 1.6.2Multicluster Global Hub 1.7.1Red Hat Advanced Cluster Management for Kubernetes 2.16Red Hat AI Inference ServerRed Hat OpenShift distributed tracing 3.9.3Red Hat Ceph Storage 5Red Hat Advanced Cluster Management for Kubernetes 2.14Multicluster Global HubRed Hat OpenShift Container Platform 4Multicluster Global Hub 1.5.4Red Hat Ceph Storage 9Red Hat OpenShift GitOpsRed Hat Ceph Storage 6Red Hat OpenShift AI (RHOAI)Multicluster Global Hub 1.4.5
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2025-48431
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-1.08% / 61.33%
||
7 Day CHG~0.00%
Published-28 Apr, 2026 | 09:11
Updated-15 Jul, 2026 | 02:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Thrift: Specially crafted input can crash a c_glib Thrift server with invalid pointer error.

Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. Description: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal "free(): invalid pointer" error message.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-thriftApache ThriftOpenShift Service Mesh 2Cryostat 4 on RHEL 9Red Hat OpenStack Platform 18.0Red Hat Advanced Cluster Management for Kubernetes 2.15Red Hat Advanced Cluster Management for Kubernetes 2.16Red Hat AI Inference ServerRed Hat Ceph Storage 5Red Hat Advanced Cluster Management for Kubernetes 2Red Hat Advanced Cluster Management for Kubernetes 2.14Multicluster Global HubRed Hat OpenShift distributed tracing 3.10.1Red Hat OpenShift distributed tracing 3Red Hat Enterprise Linux 8Red Hat Ceph Storage 9Red Hat Ceph Storage 8Red Hat Ceph Storage 6Red Hat OpenShift AI (RHOAI)Red Hat OpenShift Container Platform 4
CWE ID-CWE-762
Mismatched Memory Management Routines
CWE ID-CWE-763
Release of Invalid Pointer or Reference
CVE-2024-45863
Assigner-Meta Platforms, Inc.
ShareView Details
Assigner-Meta Platforms, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.35% / 27.35%
||
7 Day CHG~0.00%
Published-27 Sep, 2024 | 13:50
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A null-dereference vulnerability involving parsing requests specifying invalid protocols can cause the application to crash or potentially result in other undesirable effects. This issue affects Facebook Thrift from v2024.09.09.00 until v2024.09.23.00.

Action-Not Available
Vendor-Facebook
Product-Facebook Thriftthrift
CVE-2024-45773
Assigner-Meta Platforms, Inc.
ShareView Details
Assigner-Meta Platforms, Inc.
CVSS Score-7.5||HIGH
EPSS-0.48% / 38.09%
||
7 Day CHG~0.00%
Published-27 Sep, 2024 | 13:49
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A use-after-free vulnerability involving upgradeToRocket requests can cause the application to crash or potentially result in code execution or other undesirable effects. This issue affects Facebook Thrift prior to v2024.09.09.00.

Action-Not Available
Vendor-Facebook
Product-Facebook Thriftthrift
CVE-2021-24028
Assigner-Meta Platforms, Inc.
ShareView Details
Assigner-Meta Platforms, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.75% / 75.28%
||
7 Day CHG~0.00%
Published-13 Apr, 2021 | 23:20
Updated-03 Aug, 2024 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects. This issue affects Facebook Thrift prior to v2021.02.22.00.

Action-Not Available
Vendor-Facebook
Product-thriftFacebook Thrift
CWE ID-CWE-763
Release of Invalid Pointer or Reference
CVE-2020-13949
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-6.78% / 93.25%
||
7 Day CHG~0.00%
Published-12 Feb, 2021 | 19:39
Updated-04 Aug, 2024 | 12:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

Action-Not Available
Vendor-n/aThe Apache Software FoundationOracle Corporation
Product-thriftcommunications_cloud_native_core_policycommunications_cloud_native_core_network_slice_selection_functionhiveApache Thrift
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2019-11939
Assigner-Meta Platforms, Inc.
ShareView Details
Assigner-Meta Platforms, Inc.
CVSS Score-7.5||HIGH
EPSS-1.52% / 71.74%
||
7 Day CHG~0.00%
Published-18 Mar, 2020 | 00:40
Updated-04 Aug, 2024 | 23:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.03.16.00.

Action-Not Available
Vendor-Facebook
Product-thriftFacebook Thrift
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-3553
Assigner-Meta Platforms, Inc.
ShareView Details
Assigner-Meta Platforms, Inc.
CVSS Score-7.5||HIGH
EPSS-2.08% / 79.36%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 20:30
Updated-04 Aug, 2024 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

C++ Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.02.03.00.

Action-Not Available
Vendor-Facebook
Product-thriftFacebook Thrift
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-11938
Assigner-Meta Platforms, Inc.
ShareView Details
Assigner-Meta Platforms, Inc.
CVSS Score-7.5||HIGH
EPSS-2.20% / 80.51%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 20:30
Updated-04 Aug, 2024 | 23:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Java Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.12.09.00.

Action-Not Available
Vendor-Facebook
Product-thriftFacebook Thrift
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-0205
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-9.16% / 94.75%
||
7 Day CHG+0.07%
Published-28 Oct, 2019 | 22:32
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software FoundationOracle Corporation
Product-thriftjboss_enterprise_application_platformcommunications_cloud_native_core_network_slice_selection_functionenterprise_linux_serverApache Thrift
CWE ID-CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
CVE-2019-0210
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-6.85% / 93.31%
||
7 Day CHG+0.06%
Published-28 Oct, 2019 | 22:22
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software FoundationOracle Corporation
Product-thriftjboss_enterprise_application_platformcommunications_cloud_native_core_network_slice_selection_functionenterprise_linux_serverApache Thrift
CWE ID-CWE-125
Out-of-bounds Read
CVE-2019-3558
Assigner-Meta Platforms, Inc.
ShareView Details
Assigner-Meta Platforms, Inc.
CVSS Score-7.5||HIGH
EPSS-2.02% / 78.78%
||
7 Day CHG~0.00%
Published-06 May, 2019 | 15:15
Updated-04 Aug, 2024 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Python Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.02.18.00.

Action-Not Available
Vendor-Facebook
Product-thriftFacebook Thrift
CWE ID-CWE-834
Excessive Iteration
CWE ID-CWE-755
Improper Handling of Exceptional Conditions
CVE-2019-3559
Assigner-Meta Platforms, Inc.
ShareView Details
Assigner-Meta Platforms, Inc.
CVSS Score-7.5||HIGH
EPSS-1.99% / 78.46%
||
7 Day CHG~0.00%
Published-06 May, 2019 | 15:15
Updated-04 Aug, 2024 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Java Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.02.18.00.

Action-Not Available
Vendor-Facebook
Product-thriftFacebook Thrift
CWE ID-CWE-834
Excessive Iteration
CWE ID-CWE-755
Improper Handling of Exceptional Conditions
CVE-2019-3552
Assigner-Meta Platforms, Inc.
ShareView Details
Assigner-Meta Platforms, Inc.
CVSS Score-7.5||HIGH
EPSS-1.98% / 78.33%
||
7 Day CHG~0.00%
Published-06 May, 2019 | 15:15
Updated-04 Aug, 2024 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

C++ Facebook Thrift servers (using cpp2) would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.02.18.00.

Action-Not Available
Vendor-Facebook
Product-thriftFacebook Thrift
CWE ID-CWE-834
Excessive Iteration
CWE ID-CWE-755
Improper Handling of Exceptional Conditions
CVE-2019-3564
Assigner-Meta Platforms, Inc.
ShareView Details
Assigner-Meta Platforms, Inc.
CVSS Score-7.5||HIGH
EPSS-1.99% / 78.46%
||
7 Day CHG~0.00%
Published-06 May, 2019 | 15:15
Updated-04 Aug, 2024 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.03.04.00.

Action-Not Available
Vendor-Facebook
Product-thriftFacebook Thrift
CWE ID-CWE-834
Excessive Iteration
CWE ID-CWE-755
Improper Handling of Exceptional Conditions
CVE-2019-3565
Assigner-Meta Platforms, Inc.
ShareView Details
Assigner-Meta Platforms, Inc.
CVSS Score-7.5||HIGH
EPSS-2.81% / 84.95%
||
7 Day CHG~0.00%
Published-06 May, 2019 | 15:15
Updated-04 Aug, 2024 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Legacy C++ Facebook Thrift servers (using cpp instead of cpp2) would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.05.06.00.

Action-Not Available
Vendor-Facebook
Product-thriftFacebook Thrift
CWE ID-CWE-834
Excessive Iteration
CWE ID-CWE-755
Improper Handling of Exceptional Conditions
CVE-2018-1320
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-8.19% / 94.24%
||
7 Day CHG~0.00%
Published-07 Jan, 2019 | 18:00
Updated-05 Aug, 2024 | 03:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.

Action-Not Available
Vendor-The Apache Software FoundationF5, Inc.Debian GNU/LinuxOracle Corporation
Product-global_lifecycle_management_opatchdebian_linuxnosql_databasethrifttraffix_signaling_delivery_controllerApache Thrift
CWE ID-CWE-295
Improper Certificate Validation
CVE-2018-11798
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-4.88% / 91.07%
||
7 Day CHG~0.00%
Published-07 Jan, 2019 | 18:00
Updated-05 Aug, 2024 | 08:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.

Action-Not Available
Vendor-The Apache Software Foundation
Product-thriftApache Thrift
CWE ID-CWE-538
Insertion of Sensitive Information into Externally-Accessible File or Directory
CVE-2016-5397
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-8.8||HIGH
EPSS-7.06% / 93.49%
||
7 Day CHG~0.00%
Published-12 Feb, 2018 | 17:00
Updated-16 Sep, 2024 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.

Action-Not Available
Vendor-The Apache Software Foundation
Product-thriftApache Thrift
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2015-3254
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-5.33% / 91.71%
||
7 Day CHG~0.00%
Published-16 Jun, 2017 | 22:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function.

Action-Not Available
Vendor-n/aThe Apache Software Foundation
Product-thriftn/a
CWE ID-CWE-20
Improper Input Validation