You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zeppelin.apache.org by "vinayak shedgeri (JIRA)" <ji...@apache.org> on 2018/09/26 10:53:00 UTC

[jira] [Created] (ZEPPELIN-3793) Zeppelin uses 0.9.2 org.apache.thrift which has security vulnerability CVE-2015-3254

vinayak shedgeri created ZEPPELIN-3793:
------------------------------------------

             Summary: Zeppelin uses 0.9.2 org.apache.thrift which has security vulnerability CVE-2015-3254
                 Key: ZEPPELIN-3793
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-3793
             Project: Zeppelin
          Issue Type: Bug
          Components: zeppelin-interpreter
    Affects Versions: 0.8.0
            Reporter: vinayak shedgeri
             Fix For: 0.8.0


Zeppelin uses org.apache.thrift:0.9.2 which has following security vulnerability.
Vulnerability details:
Number:CVE-2015-3254
Description:

The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function.

(source:https://www.cvedetails.com/cve/CVE-2015-3254/)

The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.

(source:https://www.cvedetails.com/cve/CVE-2016-5397/ [)|https://www.cvedetails.com/cve/CVE-2016-5397/]

Is there any upgrade/alternate planned for above issue?

When i used org.apache.thrift 0.10.0. and 0.11.0 shows compilation error when i build from source



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)