rpms/thrift

Fork 0

[security][CRITICAL] thrift 0.20.0: 17 CVE require triage #1

New issue

Open

opened 2026-05-25 20:44:24 +03:00 by sbelikov · 0 comments

sbelikov commented

2026-05-25 20:44:24 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: thrift
Version: 0.20.0
EVR: 0.20.0-1
Category: -
Policy class: -
NiceOS policy class: -
Owner: -
Severity: CRITICAL
Max CVSS: 9.8
CVE count: 17
Included NiceOS statuses: needs_triage
Included match types: cpe-range

LLM recommendation / Рекомендация LLM

RU

Для пакета thrift 0.20.0 найдены CVE-кандидаты по данным NVD/CPE: CVE-2019-11938, CVE-2019-11939, CVE-2019-3552, CVE-2019-3553, CVE-2019-3558, CVE-2019-3559, CVE-2019-3564, CVE-2019-3565, CVE-2021-24028, CVE-2025-48431, CVE-2026-41602, CVE-2026-41603, CVE-2026-41604, CVE-2026-41605, CVE-2026-41636, CVE-2026-43869, CVE-2026-43870. Требуется triage security-team.

Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: -

Проверки: Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета.

Риски: Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС.

EN

NVD/CPE candidate CVEs were found for thrift 0.20.0: CVE-2019-11938, CVE-2019-11939, CVE-2019-3552, CVE-2019-3553, CVE-2019-3558, CVE-2019-3559, CVE-2019-3564, CVE-2019-3565, CVE-2021-24028, CVE-2025-48431, CVE-2026-41602, CVE-2026-41603, CVE-2026-41604, CVE-2026-41605, CVE-2026-41636, CVE-2026-43869, CVE-2026-43870. Security-team triage is required.

Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required.

Recommended action: needs_triage

Target version hint: -

Tests: Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests.

Risks: An automatic NVD/CPE match is not the final NiceOS vulnerability verdict.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	Confidence	NiceOS status	Reason
CVE-2021-24028	CRITICAL	9.8	cpe-range	80	needs_triage	package version is inside version range
CVE-2026-41636	HIGH	8.7	cpe-range	80	needs_triage	package version is inside version range
CVE-2026-41604	HIGH	8.2	cpe-range	80	needs_triage	package version is inside version range
CVE-2019-11938	HIGH	7.5	cpe-range	80	needs_triage	package version is inside version range
CVE-2019-11939	HIGH	7.5	cpe-range	80	needs_triage	package version is inside version range
CVE-2019-3552	HIGH	7.5	cpe-range	80	needs_triage	package version is inside version range
CVE-2019-3553	HIGH	7.5	cpe-range	80	needs_triage	package version is inside version range
CVE-2019-3558	HIGH	7.5	cpe-range	80	needs_triage	package version is inside version range
CVE-2019-3559	HIGH	7.5	cpe-range	80	needs_triage	package version is inside version range
CVE-2019-3564	HIGH	7.5	cpe-range	80	needs_triage	package version is inside version range
CVE-2019-3565	HIGH	7.5	cpe-range	80	needs_triage	package version is inside version range
CVE-2025-48431	HIGH	7.5	cpe-range	80	needs_triage	package version is inside version range
CVE-2026-41602	HIGH	7.5	cpe-range	80	needs_triage	package version is inside version range
CVE-2026-41603	HIGH	7.4	cpe-range	80	needs_triage	package version is inside version range
CVE-2026-41605	HIGH	7.3	cpe-range	80	needs_triage	package version is inside version range
CVE-2026-43869	HIGH	7.3	cpe-range	80	needs_triage	package version is inside version range
CVE-2026-43870	HIGH	7.3	cpe-range	80	needs_triage	package version is inside version range

Descriptions

CVE-2021-24028

An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects. This issue affects Facebook Thrift prior to v2021.02.22.00.

CVE-2026-41636

Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

CVE-2026-41604

Out-of-bounds Read vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

CVE-2019-11938

Java Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.12.09.00.

CVE-2019-11939

Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.03.16.00.

CVE-2019-3552

C++ Facebook Thrift servers (using cpp2) would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.02.18.00.

CVE-2019-3553

C++ Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.02.03.00.

CVE-2019-3558

Python Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.02.18.00.

CVE-2019-3559

Java Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.02.18.00.

CVE-2019-3564

Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.03.04.00.

CVE-2019-3565

Legacy C++ Facebook Thrift servers (using cpp instead of cpp2) would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.05.06.00.

CVE-2025-48431

Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Description: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal "free(): invalid pointer" error message.

CVE-2026-41602

Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

CVE-2026-41603

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

CVE-2026-41605

Integer Overflow or Wraparound vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

CVE-2026-43869

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

CVE-2026-43870

Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Scanner integration / Интеграция со сканером

This issue was generated from niceos_cve_matches after the SPEC/Forgejo evidence pass.
After real creation, this script writes forgejo_issue_open rows into niceos_cve_evidence and marks the selected CVE rows as issue_open, so the next scanner/creator run does not duplicate the issue.

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2019-11938",
    "CVE-2019-11939",
    "CVE-2019-3552",
    "CVE-2019-3553",
    "CVE-2019-3558",
    "CVE-2019-3559",
    "CVE-2019-3564",
    "CVE-2019-3565",
    "CVE-2021-24028",
    "CVE-2025-48431",
    "CVE-2026-41602",
    "CVE-2026-41603",
    "CVE-2026-41604",
    "CVE-2026-41605",
    "CVE-2026-41636",
    "CVE-2026-43869",
    "CVE-2026-43870"
  ],
  "fingerprint": "d0935469c4c870017a87",
  "generated_at": "2026-05-25T17:44:23Z",
  "match_ids": [
    1785,
    1786,
    1787,
    1788,
    1789,
    1792,
    1794,
    1795,
    1796,
    1797,
    1798,
    1799,
    1800,
    1801,
    1802,
    1803,
    1804
  ],
  "match_types": [
    "cpe-range"
  ],
  "package": "thrift",
  "prompt_version": "niceos_cve_issue_analysis_v2",
  "statuses": [
    "needs_triage"
  ],
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "2.0",
  "version": "0.20.0"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `thrift` - Version: `0.20.0` - EVR: `0.20.0-1` - Category: `-` - Policy class: `-` - NiceOS policy class: `-` - Owner: `-` - Severity: `CRITICAL` - Max CVSS: `9.8` - CVE count: `17` - Included NiceOS statuses: `needs_triage` - Included match types: `cpe-range` ## LLM recommendation / Рекомендация LLM ### RU Для пакета thrift 0.20.0 найдены CVE-кандидаты по данным NVD/CPE: CVE-2019-11938, CVE-2019-11939, CVE-2019-3552, CVE-2019-3553, CVE-2019-3558, CVE-2019-3559, CVE-2019-3564, CVE-2019-3565, CVE-2021-24028, CVE-2025-48431, CVE-2026-41602, CVE-2026-41603, CVE-2026-41604, CVE-2026-41605, CVE-2026-41636, CVE-2026-43869, CVE-2026-43870. Требуется triage security-team. Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `-` **Проверки:** Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета. **Риски:** Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС. ### EN NVD/CPE candidate CVEs were found for thrift 0.20.0: CVE-2019-11938, CVE-2019-11939, CVE-2019-3552, CVE-2019-3553, CVE-2019-3558, CVE-2019-3559, CVE-2019-3564, CVE-2019-3565, CVE-2021-24028, CVE-2025-48431, CVE-2026-41602, CVE-2026-41603, CVE-2026-41604, CVE-2026-41605, CVE-2026-41636, CVE-2026-43869, CVE-2026-43870. Security-team triage is required. Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required. **Recommended action:** `needs_triage` **Target version hint:** `-` **Tests:** Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests. **Risks:** An automatic NVD/CPE match is not the final NiceOS vulnerability verdict. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | Confidence | NiceOS status | Fixed in | Existing issue | Reason | |---|---|---:|---|---:|---|---|---|---| | CVE-2021-24028 | CRITICAL | 9.8 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2026-41636 | HIGH | 8.7 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2026-41604 | HIGH | 8.2 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2019-11938 | HIGH | 7.5 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2019-11939 | HIGH | 7.5 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2019-3552 | HIGH | 7.5 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2019-3553 | HIGH | 7.5 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2019-3558 | HIGH | 7.5 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2019-3559 | HIGH | 7.5 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2019-3564 | HIGH | 7.5 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2019-3565 | HIGH | 7.5 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2025-48431 | HIGH | 7.5 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2026-41602 | HIGH | 7.5 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2026-41603 | HIGH | 7.4 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2026-41605 | HIGH | 7.3 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2026-43869 | HIGH | 7.3 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2026-43870 | HIGH | 7.3 | cpe-range | 80 | needs_triage | | | package version is inside version range | ## Descriptions ### CVE-2021-24028 An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects. This issue affects Facebook Thrift prior to v2021.02.22.00. ### CVE-2026-41636 Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. ### CVE-2026-41604 Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. ### CVE-2019-11938 Java Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.12.09.00. ### CVE-2019-11939 Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.03.16.00. ### CVE-2019-3552 C++ Facebook Thrift servers (using cpp2) would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.02.18.00. ### CVE-2019-3553 C++ Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.02.03.00. ### CVE-2019-3558 Python Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.02.18.00. ### CVE-2019-3559 Java Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.02.18.00. ### CVE-2019-3564 Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.03.04.00. ### CVE-2019-3565 Legacy C++ Facebook Thrift servers (using cpp instead of cpp2) would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.05.06.00. ### CVE-2025-48431 Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. Description: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal "free(): invalid pointer" error message. ### CVE-2026-41602 Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. ### CVE-2026-41603 Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. ### CVE-2026-41605 Integer Overflow or Wraparound vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. ### CVE-2026-43869 Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. ### CVE-2026-43870 Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. ## Scanner integration / Интеграция со сканером This issue was generated from `niceos_cve_matches` after the SPEC/Forgejo evidence pass. After real creation, this script writes `forgejo_issue_open` rows into `niceos_cve_evidence` and marks the selected CVE rows as `issue_open`, so the next scanner/creator run does not duplicate the issue. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2019-11938", "CVE-2019-11939", "CVE-2019-3552", "CVE-2019-3553", "CVE-2019-3558", "CVE-2019-3559", "CVE-2019-3564", "CVE-2019-3565", "CVE-2021-24028", "CVE-2025-48431", "CVE-2026-41602", "CVE-2026-41603", "CVE-2026-41604", "CVE-2026-41605", "CVE-2026-41636", "CVE-2026-43869", "CVE-2026-43870" ], "fingerprint": "d0935469c4c870017a87", "generated_at": "2026-05-25T17:44:23Z", "match_ids": [ 1785, 1786, 1787, 1788, 1789, 1792, 1794, 1795, 1796, 1797, 1798, 1799, 1800, 1801, 1802, 1803, 1804 ], "match_types": [ "cpe-range" ], "package": "thrift", "prompt_version": "niceos_cve_issue_analysis_v2", "statuses": [ "needs_triage" ], "tool": "niceos_cve_create_issues.py", "tool_version": "2.0", "version": "0.20.0" } ```

sbelikov added the

labels

2026-05-25 20:44:24 +03:00