GSD-2019-12408

Vulnerability from gsd - Updated: 2022-05-24 00:00
Details
It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.
Aliases
Aliases
CVE-2019-12408
To clipboard 

{
  "GSD": {
    "alias": "CVE-2019-12408",
    "description": "It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.",
    "id": "GSD-2019-12408"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "red-arrow",
            "purl": "pkg:gem/red-arrow"
          }
        }
      ],
      "aliases": [
        "CVE-2019-12408",
        "GHSA-8cw2-jv5c-c825"
      ],
      "details": "It was discovered that the C++ implementation (which underlies the R,\nPython and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized\nmemory bug when building arrays with null values in some cases. This can lead to\nuninitialized memory being unintentionally shared if Arrow Arrays are transmitted\nover the wire (for instance with Flight) or persisted in the streaming IPC and file\nformats.\n",
      "id": "GSD-2019-12408",
      "modified": "2022-05-24T00:00:00.000Z",
      "published": "2022-05-24T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"
        },
        {
          "type": "WEB",
          "url": "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 7.5,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Missing Initialization of Resource in Apache Arrow"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2019-12408",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Arrow",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Apache Arrow 0.14.0 to 0.14.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Information Disclosure"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E",
            "refsource": "CONFIRM",
            "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"
          },
          {
            "name": "[announce] 20191108 [CVE-2019-12408][CVE-2019-12410] Uninitialized Memory Vulnerabilities fixed in Apache Arrow 0.15.1",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2019-12408",
      "cvss_v3": 7.5,
      "date": "2022-05-24",
      "description": "It was discovered that the C++ implementation (which underlies the R,\nPython and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized\nmemory bug when building arrays with null values in some cases. This can lead to\nuninitialized memory being unintentionally shared if Arrow Arrays are transmitted\nover the wire (for instance with Flight) or persisted in the streaming IPC and file\nformats.\n",
      "gem": "red-arrow",
      "ghsa": "8cw2-jv5c-c825",
      "patched_versions": [
        "\u003e= 0.15.1"
      ],
      "related": {
        "url": [
          "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"
        ]
      },
      "title": "Missing Initialization of Resource in Apache Arrow",
      "unaffected_versions": [
        "\u003c 0.14.0"
      ],
      "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=0.14.0 \u003c=0.14.1",
          "affected_versions": "All versions starting from 0.14.0 up to 0.14.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-909",
            "CWE-937"
          ],
          "date": "2019-11-13",
          "description": "It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow has an uninitialized memory bug when building arrays with `null` values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.",
          "fixed_versions": [
            "0.15.0"
          ],
          "identifier": "CVE-2019-12408",
          "identifiers": [
            "CVE-2019-12408"
          ],
          "not_impacted": "All versions before 0.14.0, all versions after 0.14.1",
          "package_slug": "gem/red-arrow",
          "pubdate": "2019-11-08",
          "solution": "Upgrade to version 0.15.0 or above.",
          "title": "NULL Pointer Dereference",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-12408"
          ],
          "uuid": "bf4f0b78-13b3-4931-a7fa-662ae8fa4e54"
        },
        {
          "affected_range": "\u003e=0.14.0,\u003c0.15.1",
          "affected_versions": "All versions starting from 0.14.0 before 0.15.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-909",
            "CWE-937"
          ],
          "date": "2022-06-28",
          "description": "It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.",
          "fixed_versions": [
            "0.15.1"
          ],
          "identifier": "CVE-2019-12408",
          "identifiers": [
            "GHSA-8cw2-jv5c-c825",
            "CVE-2019-12408"
          ],
          "not_impacted": "All versions before 0.14.0, all versions starting from 0.15.1",
          "package_slug": "pypi/arrow",
          "pubdate": "2022-05-24",
          "solution": "Upgrade to version 0.15.1 or above.",
          "title": "Missing Initialization of Resource",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-12408",
            "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E",
            "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E",
            "https://github.com/advisories/GHSA-8cw2-jv5c-c825"
          ],
          "uuid": "44177710-30dc-492c-aeca-61d6f22c3e29"
        },
        {
          "affected_range": "\u003e=0.14.0,\u003c=0.14.1",
          "affected_versions": "All versions starting from 0.14.0 up to 0.14.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-909",
            "CWE-937"
          ],
          "date": "2019-11-13",
          "description": "Apache Arrow has an uninitialized memory bug when building arrays with `null` values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.",
          "fixed_versions": [
            "0.14.2"
          ],
          "identifier": "CVE-2019-12408",
          "identifiers": [
            "CVE-2019-12408"
          ],
          "not_impacted": "All versions before 0.14.0, all versions after 0.14.1",
          "package_slug": "pypi/pyarrow",
          "pubdate": "2019-11-08",
          "solution": "Upgrade to version 0.14.2 or above.",
          "title": "NULL Pointer Dereference",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-12408",
            "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E",
            "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"
          ],
          "uuid": "47830733-aaf3-46e1-9a3f-131b3a7b4a81"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:arrow:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "0.14.1",
                "versionStartIncluding": "0.14.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2019-12408"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-909"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E",
              "refsource": "CONFIRM",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"
            },
            {
              "name": "[announce] 20191108 [CVE-2019-12408][CVE-2019-12410] Uninitialized Memory Vulnerabilities fixed in Apache Arrow 0.15.1",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2020-08-24T17:37Z",
      "publishedDate": "2019-11-08T19:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.