{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A minor version update (from 7.3 to 7.4) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This release of Red Hat Fuse 7.4.0 serves as a replacement for Red Hat Fuse 7.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* hazelcast: java deserialization in join cluster procedure leading to remote code execution (CVE-2016-10750)\n\n* slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)\n\n* jolokia: system-wide CSRF that could lead to Remote Code Execution (CVE-2018-10899)\n\n* spring-security-oauth: Privilege escalation by manipulating saved authorization request (CVE-2018-15758)\n\n* solr: remote code execution due to unsafe deserialization (CVE-2019-0192)\n\n* thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class (CVE-2018-1320)\n\n* spring-security-core: Unauthorized Access with Spring Security Method Security (CVE-2018-1258)\n\n* wildfly: Race condition on PID file allows for termination of arbitrary processes by local users (CVE-2019-3805)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2019:2413",
        "url": "https://access.redhat.com/errata/RHSA-2019:2413"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.fuse\u0026version=7.4.0",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.fuse\u0026version=7.4.0"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/"
      },
      {
        "category": "external",
        "summary": "1548909",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1548909"
      },
      {
        "category": "external",
        "summary": "1578582",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578582"
      },
      {
        "category": "external",
        "summary": "1601037",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601037"
      },
      {
        "category": "external",
        "summary": "1643048",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1643048"
      },
      {
        "category": "external",
        "summary": "1660263",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1660263"
      },
      {
        "category": "external",
        "summary": "1667204",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1667204"
      },
      {
        "category": "external",
        "summary": "1692345",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1692345"
      },
      {
        "category": "external",
        "summary": "1713215",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1713215"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2413.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Fuse 7.4.0 security update",
    "tracking": {
      "current_release_date": "2024-11-05T21:20:18+00:00",
      "generator": {
        "date": "2024-11-05T21:20:18+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHSA-2019:2413",
      "initial_release_date": "2019-08-08T10:08:27+00:00",
      "revision_history": [
        {
          "date": "2019-08-08T10:08:27+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-08-08T10:08:27+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-05T21:20:18+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Fuse 7.4.0",
                "product": {
                  "name": "Red Hat Fuse 7.4.0",
                  "product_id": "Red Hat Fuse 7.4.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_fuse:7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Fuse"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2016-10750",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2019-05-22T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1713215"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the cluster join procedure in Hazelcast. This flaw allows an attacker to gain remote code execution via Java deserialization.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "hazelcast: java deserialization in join cluster procedure leading to remote code execution",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The module vertx-hazelcast is not supported in Red Hat OpenShift Application Runtimes (RHOAR) products.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.4.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-10750"
        },
        {
          "category": "external",
          "summary": "RHBZ#1713215",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1713215"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-10750",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-10750"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-10750",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10750"
        }
      ],
      "release_date": "2016-04-26T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-08-08T10:08:27+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.4.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/",
          "product_ids": [
            "Red Hat Fuse 7.4.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:2413"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Fuse 7.4.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "hazelcast: java deserialization in join cluster procedure leading to remote code execution"
    },
    {
      "cve": "CVE-2018-1258",
      "cwe": {
        "id": "CWE-287",
        "name": "Improper Authentication"
      },
      "discovery_date": "2018-05-11T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1578582"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "spring-security-core: Unauthorized Access with Spring Security Method Security",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.4.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-1258"
        },
        {
          "category": "external",
          "summary": "RHBZ#1578582",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1578582"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-1258",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-1258"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1258",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1258"
        }
      ],
      "release_date": "2018-05-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-08-08T10:08:27+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.4.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/",
          "product_ids": [
            "Red Hat Fuse 7.4.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:2413"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "Red Hat Fuse 7.4.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "spring-security-core: Unauthorized Access with Spring Security Method Security"
    },
    {
      "cve": "CVE-2018-1320",
      "cwe": {
        "id": "CWE-287",
        "name": "Improper Authentication"
      },
      "discovery_date": "2019-01-07T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1667204"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "OpenDaylight:\nOpenDaylight includes libthrift, however does not use the vulnerable functionality. OpenDaylight should be considered not affected by this flaw.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.4.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-1320"
        },
        {
          "category": "external",
          "summary": "RHBZ#1667204",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1667204"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-1320",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-1320"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1320",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1320"
        }
      ],
      "release_date": "2018-03-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-08-08T10:08:27+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.4.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/",
          "product_ids": [
            "Red Hat Fuse 7.4.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:2413"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat Fuse 7.4.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Chris McCown"
          ]
        }
      ],
      "cve": "CVE-2018-8088",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2018-02-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1548909"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An XML deserialization vulnerability was discovered in slf4j\u0027s EventData, which accepts an XML serialized string and can lead to arbitrary code execution.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates.\n\nThis issue did not affect the versions of Candlepin as shipped with Red Hat Satellite 6 as Candlepin uses slf4j-api and not the affected slf4j-ext (which is not on the Candlepin classpath).\n\nRed Hat Enterprise Virtualization Manager 4.1 is affected by this issue. Updated packages that address this issue are available through the Red Hat Enterprise Linux Server channels. Virtualization Manager hosts should be subscribed to these channels and obtain the updates via `yum update`.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.4.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-8088"
        },
        {
          "category": "external",
          "summary": "RHBZ#1548909",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1548909"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-8088",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-8088"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-8088",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8088"
        }
      ],
      "release_date": "2018-02-22T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-08-08T10:08:27+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.4.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/",
          "product_ids": [
            "Red Hat Fuse 7.4.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:2413"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Fuse 7.4.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Martin Bajanik"
          ]
        }
      ],
      "cve": "CVE-2018-10899",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2018-07-13T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1601037"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Jolokia, versions 1.2 through 1.6.0, where Jolokia did not correctly handle checking for origin and referrer headers when strict checking was enabled. An attacker could use this vulnerability to conduct cross-site request forgery or further attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jolokia: system-wide CSRF that could lead to Remote Code Execution",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "In Red Hat OpenStack Platform, jolokia is not enabled by default and, when enabled, the jolokia endpoints do not rely on CORS for security. Therefore, the impact has been reduced to Low and no updates will be provided at this time for the RHOSP jolokia package.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.4.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-10899"
        },
        {
          "category": "external",
          "summary": "RHBZ#1601037",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601037"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-10899",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-10899"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10899",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10899"
        },
        {
          "category": "external",
          "summary": "https://jolokia.org/#Minor_updates_coming_with_1.6.1",
          "url": "https://jolokia.org/#Minor_updates_coming_with_1.6.1"
        }
      ],
      "release_date": "2019-06-11T10:41:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-08-08T10:08:27+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.4.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/",
          "product_ids": [
            "Red Hat Fuse 7.4.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:2413"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Fuse 7.4.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jolokia: system-wide CSRF that could lead to Remote Code Execution"
    },
    {
      "cve": "CVE-2018-15758",
      "cwe": {
        "id": "CWE-285",
        "name": "Improper Authorization"
      },
      "discovery_date": "2018-10-16T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1643048"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Spring Security OAuth, versions 2.3 prior to 2.3.4, and 2.2 prior to 2.2.3, and 2.1 prior to 2.1.3, and 2.0 prior to 2.0.16, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can craft a request to the approval endpoint that can modify the previously saved authorization request and lead to a privilege escalation on the subsequent approval. This scenario can happen if the application is configured to use a custom approval endpoint that declares AuthorizationRequest as a controller method argument. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and use a custom Approval Endpoint that declares AuthorizationRequest as a controller method argument. This vulnerability does not expose applications that: Act in the role of an Authorization Server and use the default Approval Endpoint, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "spring-security-oauth: Privilege escalation by manipulating saved authorization request",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.4.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-15758"
        },
        {
          "category": "external",
          "summary": "RHBZ#1643048",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1643048"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-15758",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-15758"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-15758",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15758"
        },
        {
          "category": "external",
          "summary": "https://pivotal.io/security/cve-2018-15758",
          "url": "https://pivotal.io/security/cve-2018-15758"
        }
      ],
      "release_date": "2018-10-16T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-08-08T10:08:27+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.4.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/",
          "product_ids": [
            "Red Hat Fuse 7.4.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:2413"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Fuse 7.4.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "spring-security-oauth: Privilege escalation by manipulating saved authorization request"
    },
    {
      "cve": "CVE-2019-0192",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2019-03-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1692345"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Apache Solr\u0027s Config API, where it would permit the configuration of the JMX server via an HTTP POST request. An attacker could use this flaw to direct traffic to a malicious RMI server, and then trigger remote code execution or conduct further attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "solr: remote code execution due to unsafe deserialization",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.4.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-0192"
        },
        {
          "category": "external",
          "summary": "RHBZ#1692345",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1692345"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-0192",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-0192"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-0192",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0192"
        }
      ],
      "release_date": "2019-03-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-08-08T10:08:27+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.4.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/",
          "product_ids": [
            "Red Hat Fuse 7.4.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:2413"
        },
        {
          "category": "workaround",
          "details": "* Upgrade to 6.6.6 or later\n* Disable the ConifgAPI if not in use (`disable.configEdit=true`)\n* Use other external means to ensure only trusted traffic is allowed (block POST requests to the config API from external sources)",
          "product_ids": [
            "Red Hat Fuse 7.4.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Fuse 7.4.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "solr: remote code execution due to unsafe deserialization"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Daniel Le Gall"
          ],
          "organization": "SCRT Information Security"
        }
      ],
      "cve": "CVE-2019-3805",
      "cwe": {
        "id": "CWE-364",
        "name": "Signal Handler Race Condition"
      },
      "discovery_date": "2018-11-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1660263"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was discovered in wildfly that would allow local users, who are able to execute init.d script, to terminate arbitrary processes on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "wildfly: Race condition on PID file allows for termination of arbitrary processes by local users",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Fuse 7.4.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-3805"
        },
        {
          "category": "external",
          "summary": "RHBZ#1660263",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1660263"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-3805",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-3805"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-3805",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3805"
        }
      ],
      "release_date": "2019-04-30T17:12:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-08-08T10:08:27+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.4.0 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/",
          "product_ids": [
            "Red Hat Fuse 7.4.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:2413"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Fuse 7.4.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "wildfly: Race condition on PID file allows for termination of arbitrary processes by local users"
    }
  ]
}

{
  "GSD": {
    "alias": "CVE-2018-1320",
    "description": "Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.",
    "id": "GSD-2018-1320",
    "references": [
      "https://access.redhat.com/errata/RHSA-2019:2413"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-1320"
      ],
      "details": "Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.",
      "id": "GSD-2018-1320",
      "modified": "2023-12-13T01:22:37.677362Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2018-1320",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Thrift",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Apache Thrift 0.5.0 to 0.11.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Improper Authentication"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread.html/da5234b5e78f1c99190407f791dfe1bf6c58de8d30d15974a9669be3@%3Cuser.thrift.apache.org%3E",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread.html/da5234b5e78f1c99190407f791dfe1bf6c58de8d30d15974a9669be3@%3Cuser.thrift.apache.org%3E"
          },
          {
            "name": "106551",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/106551"
          },
          {
            "name": "[debian-lts-announce] 20190206 [SECURITY] [DLA 1662-1] libthrift-java security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00008.html"
          },
          {
            "name": "[infra-devnull] 20190324 [GitHub] [thrift] luciferous opened pull request #1771: THRIFT-4506: fix use of assert for correctness in Java SASL negotiation",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/187684ac8b94d55256253f5220cb55e8bd568afdf9a8a86e9bbb66c9@%3Cdevnull.infra.apache.org%3E"
          },
          {
            "name": "https://support.f5.com/csp/article/K36361684",
            "refsource": "CONFIRM",
            "url": "https://support.f5.com/csp/article/K36361684"
          },
          {
            "name": "[storm-dev] 20190724 [CVE-2018-1320] Apache Storm vulnerable Thrift version",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/dbe3a39b48900318ad44494e8721f786901ba4520cd412c7698f534f@%3Cdev.storm.apache.org%3E"
          },
          {
            "name": "[storm-user] 20190724 [CVE-2018-1320] Apache Storm vulnerable Thrift version",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/dfee89880c84874058c6a584d8128468f8d3c2ac25068ded91073adc@%3Cuser.storm.apache.org%3E"
          },
          {
            "name": "[announce] 20190724 [CVE-2018-1320] Apache Storm vulnerable Thrift version",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/e825ff2f4e129c0ecdb6a19030b53c1ccdf810a8980667628d0c6a80@%3Cannounce.apache.org%3E"
          },
          {
            "name": "[oss-security] 20190724 [CVE-2018-1320] Apache Storm vulnerable Thrift version",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2019/07/24/3"
          },
          {
            "name": "RHSA-2019:2413",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2019:2413"
          },
          {
            "name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
          },
          {
            "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
          },
          {
            "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
          },
          {
            "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
          },
          {
            "name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15422) CVE-2018-1320(The libthrift component is vulnerable to Improper Access Control) on Cassendra 3.11.4",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/3d3b6849fcf4cd1e87703b3dde0d57aabeb9ba0193dc0cf3c97f545d@%3Ccommits.cassandra.apache.org%3E"
          },
          {
            "name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/6b07f6f618155c777191b4fad8ade0f0cf4ed4c12a1a746ce903d816@%3Ccommits.cassandra.apache.org%3E"
          },
          {
            "name": "[cassandra-commits] 20191119 [jira] [Updated] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/07c3cd5a2953a4b253eee4437b1397b1603d0f886437e19b657d2c54@%3Ccommits.cassandra.apache.org%3E"
          },
          {
            "name": "[cassandra-commits] 20191119 [jira] [Assigned] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/8be5b16c02567fff61b1284e5df433a4e38617bc7de4804402bf62be@%3Ccommits.cassandra.apache.org%3E"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
          },
          {
            "name": "[cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E"
          },
          {
            "name": "[cassandra-commits] 20210323 [jira] [Updated] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r2278846f7ab06ec07a0aa31457235e0ded9191b216cba55f3f315f16@%3Ccommits.cassandra.apache.org%3E"
          },
          {
            "name": "[cassandra-commits] 20210415 [jira] [Updated] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r261972a3b14cf6f1dcd94b1b265e9ef644a38ccdf0d0238fa0c4d459@%3Ccommits.cassandra.apache.org%3E"
          },
          {
            "name": "[cassandra-commits] 20210415 [jira] [Comment Edited] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r09c3dcdccf4b74ad13bda79b354e6b793255ccfe245cca1b8cee23f5@%3Ccommits.cassandra.apache.org%3E"
          },
          {
            "name": "[cassandra-commits] 20210415 [jira] [Commented] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r3d71a6dbb063aa61ba81278fe622b20bfe7501bb3821c27695641ac3@%3Ccommits.cassandra.apache.org%3E"
          },
          {
            "name": "[cassandra-commits] 20210924 [jira] [Updated] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r1015eaadef8314daa9348aa423086a732cfeb998ceb5d42605c9b0b5@%3Ccommits.cassandra.apache.org%3E"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[0.5.0,0.11.0]",
          "affected_versions": "All versions starting from 0.5.0 up to 0.11.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-295",
            "CWE-937"
          ],
          "date": "2019-07-24",
          "description": "An Apache Thrift Java client library can bypass SASL negotiation validation in the `org.apache.thrift.transport.TSaslTransport` class.",
          "fixed_versions": [
            "0.12.0"
          ],
          "identifier": "CVE-2018-1320",
          "identifiers": [
            "CVE-2018-1320"
          ],
          "not_impacted": "All versions before 0.5.0, all versions after 0.11.0",
          "package_slug": "maven/org.apache.thrift/libthrift",
          "pubdate": "2019-01-07",
          "solution": "Upgrade to version 0.12.0 or above.",
          "title": "Improper Input Validation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2018-1320",
            "http://www.securityfocus.com/bid/106551"
          ],
          "uuid": "69479b3c-92ba-4c86-a37b-0c6743389e4a"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:thrift:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "0.11.0",
                "versionStartIncluding": "0.5.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:f5:traffix_signaling_delivery_controller:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "5.1.0",
                "versionStartIncluding": "5.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "11.2.0.3.23",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "19.3.12",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "12.2.0.1.19",
                "versionStartIncluding": "12.2.0.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "13.9.4.2.1",
                "versionStartIncluding": "13.9.4.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2018-1320"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-295"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread.html/da5234b5e78f1c99190407f791dfe1bf6c58de8d30d15974a9669be3@%3Cuser.thrift.apache.org%3E",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Mailing List",
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/da5234b5e78f1c99190407f791dfe1bf6c58de8d30d15974a9669be3@%3Cuser.thrift.apache.org%3E"
            },
            {
              "name": "106551",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/106551"
            },
            {
              "name": "[debian-lts-announce] 20190206 [SECURITY] [DLA 1662-1] libthrift-java security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00008.html"
            },
            {
              "name": "[infra-devnull] 20190324 [GitHub] [thrift] luciferous opened pull request #1771: THRIFT-4506: fix use of assert for correctness in Java SASL negotiation",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/187684ac8b94d55256253f5220cb55e8bd568afdf9a8a86e9bbb66c9@%3Cdevnull.infra.apache.org%3E"
            },
            {
              "name": "https://support.f5.com/csp/article/K36361684",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://support.f5.com/csp/article/K36361684"
            },
            {
              "name": "[storm-user] 20190724 [CVE-2018-1320] Apache Storm vulnerable Thrift version",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/dfee89880c84874058c6a584d8128468f8d3c2ac25068ded91073adc@%3Cuser.storm.apache.org%3E"
            },
            {
              "name": "[storm-dev] 20190724 [CVE-2018-1320] Apache Storm vulnerable Thrift version",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/dbe3a39b48900318ad44494e8721f786901ba4520cd412c7698f534f@%3Cdev.storm.apache.org%3E"
            },
            {
              "name": "[announce] 20190724 [CVE-2018-1320] Apache Storm vulnerable Thrift version",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/e825ff2f4e129c0ecdb6a19030b53c1ccdf810a8980667628d0c6a80@%3Cannounce.apache.org%3E"
            },
            {
              "name": "[oss-security] 20190724 [CVE-2018-1320] Apache Storm vulnerable Thrift version",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/07/24/3"
            },
            {
              "name": "RHSA-2019:2413",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2413"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
            },
            {
              "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
            },
            {
              "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
            },
            {
              "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15422) CVE-2018-1320(The libthrift component is vulnerable to Improper Access Control) on Cassendra 3.11.4",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/3d3b6849fcf4cd1e87703b3dde0d57aabeb9ba0193dc0cf3c97f545d@%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/6b07f6f618155c777191b4fad8ade0f0cf4ed4c12a1a746ce903d816@%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20191119 [jira] [Updated] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/07c3cd5a2953a4b253eee4437b1397b1603d0f886437e19b657d2c54@%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20191119 [jira] [Assigned] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/8be5b16c02567fff61b1284e5df433a4e38617bc7de4804402bf62be@%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "N/A",
              "refsource": "N/A",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
            },
            {
              "name": "[cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210323 [jira] [Updated] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/r2278846f7ab06ec07a0aa31457235e0ded9191b216cba55f3f315f16@%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210415 [jira] [Updated] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/r261972a3b14cf6f1dcd94b1b265e9ef644a38ccdf0d0238fa0c4d459@%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210415 [jira] [Commented] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/r3d71a6dbb063aa61ba81278fe622b20bfe7501bb3821c27695641ac3@%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210415 [jira] [Comment Edited] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/r09c3dcdccf4b74ad13bda79b354e6b793255ccfe245cca1b8cee23f5@%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210924 [jira] [Updated] (CASSANDRA-15424) CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/r1015eaadef8314daa9348aa423086a732cfeb998ceb5d42605c9b0b5@%3Ccommits.cassandra.apache.org%3E"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-08-16T14:17Z",
      "publishedDate": "2019-01-07T17:29Z"
    }
  }
}

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.thrift:libthrift"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.0"
            },
            {
              "fixed": "0.9.3-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.thrift:libthrift"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.10.0"
            },
            {
              "fixed": "0.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:00:45Z",
    "nvd_published_at": "2019-01-07T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "Apache Thrift Java client library versions 0.5.0 prior to 0.9.3-1 and 0.10.0 prior to 0.12.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.",
  "id": "GHSA-wjxj-f8rg-99wx",
  "modified": "2024-03-04T20:36:08Z",
  "published": "2019-01-17T13:56:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1320"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/thrift/commit/7489ed6ac8bad64e72fa83ec9d53e1eeddca6c23"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200227094237/http://www.securityfocus.com/bid/106551"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K36361684"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00008.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3d71a6dbb063aa61ba81278fe622b20bfe7501bb3821c27695641ac3@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r261972a3b14cf6f1dcd94b1b265e9ef644a38ccdf0d0238fa0c4d459@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2278846f7ab06ec07a0aa31457235e0ded9191b216cba55f3f315f16@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1015eaadef8314daa9348aa423086a732cfeb998ceb5d42605c9b0b5@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r09c3dcdccf4b74ad13bda79b354e6b793255ccfe245cca1b8cee23f5@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/e825ff2f4e129c0ecdb6a19030b53c1ccdf810a8980667628d0c6a80@%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/dfee89880c84874058c6a584d8128468f8d3c2ac25068ded91073adc@%3Cuser.storm.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/dbe3a39b48900318ad44494e8721f786901ba4520cd412c7698f534f@%3Cdev.storm.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/da5234b5e78f1c99190407f791dfe1bf6c58de8d30d15974a9669be3@%3Cuser.thrift.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/8be5b16c02567fff61b1284e5df433a4e38617bc7de4804402bf62be@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/6b07f6f618155c777191b4fad8ade0f0cf4ed4c12a1a746ce903d816@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/3d3b6849fcf4cd1e87703b3dde0d57aabeb9ba0193dc0cf3c97f545d@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/187684ac8b94d55256253f5220cb55e8bd568afdf9a8a86e9bbb66c9@%3Cdevnull.infra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/07c3cd5a2953a4b253eee4437b1397b1603d0f886437e19b657d2c54@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/THRIFT-4506"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/thrift/releases/tag/0.9.3.1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/thrift"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2413"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/07/24/3"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106551"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Input Validation in Apache Thrift"
}

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "IBM Integration Bus ist eine \"lightweight\" ESB, welche die Integration von SOAP oder non-SOAP Datenquellen von verschiedenen Plattformen erm\u00f6glicht.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in IBM Integration Bus ausnutzen, um Sicherheitsvorkehrungen zu umgehen und einen Denial of Service Zustand herzustellen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Windows\n- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-0723 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0723.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-0723 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0723"
      },
      {
        "category": "external",
        "summary": "IBM Security Advisory vom 2023-03-22",
        "url": "https://www.ibm.com/support/pages/node/6965298"
      }
    ],
    "source_lang": "en-US",
    "title": "IBM Integration Bus: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2023-03-22T23:00:00.000+00:00",
      "generator": {
        "date": "2024-02-15T17:20:14.288+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2023-0723",
      "initial_release_date": "2023-03-22T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-03-22T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "IBM Integration Bus 10.0.0.26",
                "product": {
                  "name": "IBM Integration Bus 10.0.0.26",
                  "product_id": "T023560",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:integration_bus:10.0.0.26"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "IBM Integration Bus 10.1",
                "product": {
                  "name": "IBM Integration Bus 10.1",
                  "product_id": "T026788",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:integration_bus:10.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Integration Bus"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-0205",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in IBM Integration Bus. Der Fehler besteht aufgrund eines Fehlers bei der Verarbeitung nicht vertrauensw\u00fcrdiger Nutzdaten in Apache Thrift. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um in eine Endlosschleife zu gelangen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T026788",
          "T023560"
        ]
      },
      "release_date": "2023-03-22T23:00:00Z",
      "title": "CVE-2019-0205"
    },
    {
      "cve": "CVE-2018-1320",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in IBM Integration Bus. Der Fehler besteht aufgrund der Deaktivierung eines Assert, der verwendet wird, um festzustellen, ob der SASL-Handshake in Apache Thrift erfolgreich abgeschlossen wurde. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T026788",
          "T023560"
        ]
      },
      "release_date": "2023-03-22T23:00:00Z",
      "title": "CVE-2018-1320"
    }
  ]
}

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201901-0713",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "global lifecycle management opatch",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.2.0.1.19"
      },
      {
        "model": "nosql database",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "19.3.12"
      },
      {
        "model": "thrift",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "apache",
        "version": "0.5.0"
      },
      {
        "model": "global lifecycle management opatch",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "12.2.0.1.0"
      },
      {
        "model": "global lifecycle management opatch",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "13.9.4.0.0"
      },
      {
        "model": "global lifecycle management opatch",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "13.9.4.2.1"
      },
      {
        "model": "global lifecycle management opatch",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "11.2.0.3.23"
      },
      {
        "model": "linux",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "debian",
        "version": "8.0"
      },
      {
        "model": "thrift",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "apache",
        "version": "0.11.0"
      },
      {
        "model": "traffix signaling delivery controller",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "f5",
        "version": "5.1.0"
      },
      {
        "model": "traffix signaling delivery controller",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "f5",
        "version": "5.0.0"
      },
      {
        "model": "thrift",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "apache",
        "version": "0.5.0 to  0.11.0"
      },
      {
        "model": "gnu/linux",
        "scope": null,
        "trust": 0.8,
        "vendor": "debian",
        "version": null
      },
      {
        "model": "thrift",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apache",
        "version": "0.11"
      },
      {
        "model": "thrift",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apache",
        "version": "0.10"
      },
      {
        "model": "thrift",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apache",
        "version": "0.9.3"
      },
      {
        "model": "thrift",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apache",
        "version": "0.9.2"
      },
      {
        "model": "thrift",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apache",
        "version": "0.9.1"
      },
      {
        "model": "thrift",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apache",
        "version": "0.5"
      },
      {
        "model": "thrift",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apache",
        "version": "0.9"
      },
      {
        "model": "thrift",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "apache",
        "version": "0.12"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "106551"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-001445"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-1320"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:thrift:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "0.11.0",
                "versionStartIncluding": "0.5.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:f5:traffix_signaling_delivery_controller:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "5.1.0",
                "versionStartIncluding": "5.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "11.2.0.3.23",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "19.3.12",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "12.2.0.1.19",
                "versionStartIncluding": "12.2.0.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "13.9.4.2.1",
                "versionStartIncluding": "13.9.4.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-1320"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Red Hat",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "153980"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-099"
      }
    ],
    "trust": 0.7
  },
  "cve": "CVE-2018-1320",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 5.0,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2018-1320",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "id": "VHN-123235",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 3.9,
            "impactScore": 3.6,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 7.5,
            "baseSeverity": "High",
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2018-1320",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2018-1320",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201901-099",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "VULHUB",
            "id": "VHN-123235",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-123235"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-001445"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-1320"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-099"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete. Apache Thrift Contains an input validation vulnerability.Information may be tampered with. Apache Thrift is prone to a security-bypass vulnerability. \nSuccessful exploits may allow an attacker to bypass certain security restrictions and to perform unauthorized actions; this may aid in launching further attacks. \nApache Thrift versions 0.5.0 through 0.11.0 are vulnerable. The Java client library is one of the client libraries. Attackers can exploit this vulnerability to bypass security detection. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n====================================================================                   \nRed Hat Security Advisory\n\nSynopsis:          Important: Red Hat Fuse 7.4.0 security update\nAdvisory ID:       RHSA-2019:2413-01\nProduct:           Red Hat JBoss Fuse\nAdvisory URL:      https://access.redhat.com/errata/RHSA-2019:2413\nIssue date:        2019-08-08\nCVE Names:         CVE-2016-10750 CVE-2018-1258 CVE-2018-1320\n                   CVE-2018-8088 CVE-2018-10899 CVE-2018-15758\n                   CVE-2019-0192 CVE-2019-3805\n====================================================================\n1. Summary:\n\nA minor version update (from 7.3 to 7.4) is now available for Red Hat Fuse. \nThe purpose of this text-only errata is to inform you about the security\nissues fixed in this release. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Description:\n\nThis release of Red Hat Fuse 7.4.0 serves as a replacement for Red Hat Fuse\n7.3, and includes bug fixes and enhancements, which are documented in the\nRelease Notes document linked to in the References. \n\nSecurity Fix(es):\n\n* hazelcast: java deserialization in join cluster procedure leading to\nremote code execution (CVE-2016-10750)\n\n* slf4j: Deserialisation vulnerability in EventData constructor can allow\nfor arbitrary code execution (CVE-2018-8088)\n\n* jolokia: system-wide CSRF that could lead to Remote Code Execution\n(CVE-2018-10899)\n\n* spring-security-oauth: Privilege escalation by manipulating saved\nauthorization request (CVE-2018-15758)\n\n* solr: remote code execution due to unsafe deserialization (CVE-2019-0192)\n\n* thrift: SASL negotiation isComplete validation bypass in the\norg.apache.thrift.transport.TSaslTransport class (CVE-2018-1320)\n\n* spring-security-core: Unauthorized Access with Spring Security Method\nSecurity (CVE-2018-1258)\n\n* wildfly: Race condition on PID file allows for termination of arbitrary\nprocesses by local users (CVE-2019-3805)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in\nthe References section. \n\n3. Solution:\n\nBefore applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on. \n\nInstallation instructions are available from the Fuse 7.4.0 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1548909 - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution\n1578582 - CVE-2018-1258 spring-security-core: Unauthorized Access with Spring Security Method Security\n1601037 - CVE-2018-10899 jolokia: system-wide CSRF that could lead to Remote Code Execution\n1643048 - CVE-2018-15758 spring-security-oauth: Privilege escalation by manipulating saved authorization request\n1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users\n1667204 - CVE-2018-1320 thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class\n1692345 - CVE-2019-0192 solr: remote code execution due to unsafe deserialization\n1713215 - CVE-2016-10750 hazelcast: java deserialization in join cluster procedure leading to remote code execution\n\n5. References:\n\nhttps://access.redhat.com/security/cve/CVE-2016-10750\nhttps://access.redhat.com/security/cve/CVE-2018-1258\nhttps://access.redhat.com/security/cve/CVE-2018-1320\nhttps://access.redhat.com/security/cve/CVE-2018-8088\nhttps://access.redhat.com/security/cve/CVE-2018-10899\nhttps://access.redhat.com/security/cve/CVE-2018-15758\nhttps://access.redhat.com/security/cve/CVE-2019-0192\nhttps://access.redhat.com/security/cve/CVE-2019-3805\nhttps://access.redhat.com/security/updates/classification/#important\nhttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.fuse\u0026version=7.4.0\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/\n\n6. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2019 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXUv0xNzjgjWX9erEAQhCzRAAjdpuIeE+WhWxaZpzsfh333p6RXGKoB8g\n4BGVD7yZjSNoPmRzkSuaNUTT0wYZdRLSNeYK1FvxqZlTBesHbe3IV80gDNiV2vad\nVzwNYukUoa6s8hdzKY/zCKwhuZ5cWkk+FLjFAPEfZt2Typ3kyYPnK/RxNnzfeSgc\n90xh60LImUIJK/hGyOL40z8pGFbG404TJbdezYnQt0/l0NBGxPqBGOHnIgpZhAgw\ngNMEglpIrxap4UzwSEzA5tmjRUDHeUBpsUpKsez5XL2ECssqrRyK8Hj/KeacnARF\nMnvf4U/lIOamD6Tles8IAFo/kexW+OxKiHbivOFutraLdEXysgkK8Uf5EQqYKW9+\n7OgEuyMxUi5Pbj4kL666iBp5oV95gEHm2zcQEbn65BFJ3nomb5nReHh5t7G0AqHy\nGYj9dlx84+UG0Fr717Vi586KwtCu6rgdZJS25+0kSCeZk/cowYLW09G+j/+Jk3yg\nN/uUfoxqmC/A+SyupFh1A9XZg7oZhkB+Qwo6D2+BejiwXsD8Jv4uzrI7U7+Lg/YK\nUFa2oqArMKNrF0zf9152lqCEpOL8dCO3X8RcB8LmQcapmr1MYGB+18oNT4o3JcY3\nAa1hoi5+2gGgR7HHuqTsxnDXYPtgqR9CMylc5gmYsMFK5W3sNX8Z/qazoH3fIVtu\nNNAto03aZgE=rpUB\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-1320"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-001445"
      },
      {
        "db": "BID",
        "id": "106551"
      },
      {
        "db": "VULHUB",
        "id": "VHN-123235"
      },
      {
        "db": "PACKETSTORM",
        "id": "153980"
      }
    ],
    "trust": 2.07
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2018-1320",
        "trust": 2.9
      },
      {
        "db": "BID",
        "id": "106551",
        "trust": 2.0
      },
      {
        "db": "OPENWALL",
        "id": "OSS-SECURITY/2019/07/24/3",
        "trust": 1.7
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-001445",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-099",
        "trust": 0.7
      },
      {
        "db": "PACKETSTORM",
        "id": "153980",
        "trust": 0.7
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2023.1788",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2019.3040",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2020.4254",
        "trust": 0.6
      },
      {
        "db": "CS-HELP",
        "id": "SB2022041520",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-123235",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-123235"
      },
      {
        "db": "BID",
        "id": "106551"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-001445"
      },
      {
        "db": "PACKETSTORM",
        "id": "153980"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-1320"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-099"
      }
    ]
  },
  "id": "VAR-201901-0713",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-123235"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2023-12-18T11:18:43.061000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "[SECURITY] CVE-2018-1320 Announcement",
        "trust": 0.8,
        "url": "https://lists.apache.org/thread.html/da5234b5e78f1c99190407f791dfe1bf6c58de8d30d15974a9669be3@%3cuser.thrift.apache.org%3e"
      },
      {
        "title": "[SECURITY] [DLA 1662-1] libthrift-java security update",
        "trust": 0.8,
        "url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00008.html"
      },
      {
        "title": "Apache Thrift Java client library Remediation measures for authorization problem vulnerabilities",
        "trust": 0.6,
        "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=88292"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-001445"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-099"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-295",
        "trust": 1.0
      },
      {
        "problemtype": "CWE-20",
        "trust": 0.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-123235"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-001445"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-1320"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.4,
        "url": "https://access.redhat.com/errata/rhsa-2019:2413"
      },
      {
        "trust": 2.3,
        "url": "http://www.securityfocus.com/bid/106551"
      },
      {
        "trust": 1.7,
        "url": "https://support.f5.com/csp/article/k36361684"
      },
      {
        "trust": 1.7,
        "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
      },
      {
        "trust": 1.7,
        "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
      },
      {
        "trust": 1.7,
        "url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00008.html"
      },
      {
        "trust": 1.7,
        "url": "http://www.openwall.com/lists/oss-security/2019/07/24/3"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/da5234b5e78f1c99190407f791dfe1bf6c58de8d30d15974a9669be3@%3cuser.thrift.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/07c3cd5a2953a4b253eee4437b1397b1603d0f886437e19b657d2c54%40%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/187684ac8b94d55256253f5220cb55e8bd568afdf9a8a86e9bbb66c9%40%3cdevnull.infra.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/3d3b6849fcf4cd1e87703b3dde0d57aabeb9ba0193dc0cf3c97f545d%40%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3cdev.drill.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/6b07f6f618155c777191b4fad8ade0f0cf4ed4c12a1a746ce903d816%40%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/8be5b16c02567fff61b1284e5df433a4e38617bc7de4804402bf62be%40%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3cdev.drill.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/da5234b5e78f1c99190407f791dfe1bf6c58de8d30d15974a9669be3%40%3cuser.thrift.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/dbe3a39b48900318ad44494e8721f786901ba4520cd412c7698f534f%40%3cdev.storm.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/dfee89880c84874058c6a584d8128468f8d3c2ac25068ded91073adc%40%3cuser.storm.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/e825ff2f4e129c0ecdb6a19030b53c1ccdf810a8980667628d0c6a80%40%3cannounce.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3cissues.drill.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/r09c3dcdccf4b74ad13bda79b354e6b793255ccfe245cca1b8cee23f5%40%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/r1015eaadef8314daa9348aa423086a732cfeb998ceb5d42605c9b0b5%40%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/r2278846f7ab06ec07a0aa31457235e0ded9191b216cba55f3f315f16%40%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/r261972a3b14cf6f1dcd94b1b265e9ef644a38ccdf0d0238fa0c4d459%40%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/r3d71a6dbb063aa61ba81278fe622b20bfe7501bb3821c27695641ac3%40%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3%40%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 0.9,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-1320"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-1320"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/e825ff2f4e129c0ecdb6a19030b53c1ccdf810a8980667628d0c6a80@%3cannounce.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/3d3b6849fcf4cd1e87703b3dde0d57aabeb9ba0193dc0cf3c97f545d@%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/6b07f6f618155c777191b4fad8ade0f0cf4ed4c12a1a746ce903d816@%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/8be5b16c02567fff61b1284e5df433a4e38617bc7de4804402bf62be@%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/07c3cd5a2953a4b253eee4437b1397b1603d0f886437e19b657d2c54@%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/r2278846f7ab06ec07a0aa31457235e0ded9191b216cba55f3f315f16@%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/r09c3dcdccf4b74ad13bda79b354e6b793255ccfe245cca1b8cee23f5@%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/r3d71a6dbb063aa61ba81278fe622b20bfe7501bb3821c27695641ac3@%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/r261972a3b14cf6f1dcd94b1b265e9ef644a38ccdf0d0238fa0c4d459@%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/r1015eaadef8314daa9348aa423086a732cfeb998ceb5d42605c9b0b5@%3ccommits.cassandra.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3cdev.drill.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3cdev.drill.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3cissues.drill.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/187684ac8b94d55256253f5220cb55e8bd568afdf9a8a86e9bbb66c9@%3cdevnull.infra.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/dbe3a39b48900318ad44494e8721f786901ba4520cd412c7698f534f@%3cdev.storm.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/dfee89880c84874058c6a584d8128468f8d3c2ac25068ded91073adc@%3cuser.storm.apache.org%3e"
      },
      {
        "trust": 0.6,
        "url": "https://packetstormsecurity.com/files/153980/red-hat-security-advisory-2019-2413-01.html"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2019.3040/"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2023.1788"
      },
      {
        "trust": 0.6,
        "url": "https://www.cybersecurity-help.cz/vdb/sb2022041520"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2020.4254/"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-3/"
      },
      {
        "trust": 0.3,
        "url": "https://issues.apache.org/jira/browse/thrift-4506"
      },
      {
        "trust": 0.3,
        "url": "https://thrift.apache.org/"
      },
      {
        "trust": 0.3,
        "url": "https://github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-1258"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product=jboss.fuse\u0026version=7.4.0"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2018-1320"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2018-10899"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/team/contact/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2016-10750"
      },
      {
        "trust": 0.1,
        "url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-0192"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2018-8088"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10899"
      },
      {
        "trust": 0.1,
        "url": "https://bugzilla.redhat.com/):"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2016-10750"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-15758"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-8088"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-0192"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2018-1258"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-3805"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2018-15758"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-3805"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-123235"
      },
      {
        "db": "BID",
        "id": "106551"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-001445"
      },
      {
        "db": "PACKETSTORM",
        "id": "153980"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-1320"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-099"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-123235"
      },
      {
        "db": "BID",
        "id": "106551"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-001445"
      },
      {
        "db": "PACKETSTORM",
        "id": "153980"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-1320"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-099"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-01-07T00:00:00",
        "db": "VULHUB",
        "id": "VHN-123235"
      },
      {
        "date": "2019-01-07T00:00:00",
        "db": "BID",
        "id": "106551"
      },
      {
        "date": "2019-03-06T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-001445"
      },
      {
        "date": "2019-08-08T14:34:03",
        "db": "PACKETSTORM",
        "id": "153980"
      },
      {
        "date": "2019-01-07T17:29:00.360000",
        "db": "NVD",
        "id": "CVE-2018-1320"
      },
      {
        "date": "2019-01-08T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201901-099"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-06-04T00:00:00",
        "db": "VULHUB",
        "id": "VHN-123235"
      },
      {
        "date": "2019-01-07T00:00:00",
        "db": "BID",
        "id": "106551"
      },
      {
        "date": "2019-03-06T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-001445"
      },
      {
        "date": "2023-11-07T02:55:57.850000",
        "db": "NVD",
        "id": "CVE-2018-1320"
      },
      {
        "date": "2023-03-27T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201901-099"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-099"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Apache Thrift Input validation vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-001445"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "trust management problem",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201901-099"
      }
    ],
    "trust": 0.6
  }
}