Details
-
Bug
-
Status: Resolved
-
Normal
-
Resolution: Won't Fix
-
None
-
Security - Denial of Service
-
Normal
-
Low Hanging Fruit
-
User Report
-
All
-
None
Description
Cassandra 3.x and 2.x uses libthrift 0.9.2, which has a number of vulnerabilities associated with it which are applicable to Cassandra;
CVE-2015-3254
CVE-2018-1320 (CASSANDRA-15424)
CVE-2019-0205 (CASSANDRA-15420)
Updating to 0.9.3-1 will mitigate these, however that branch suffers CVE-2020-13949.
To mitigate risks from using out of date libthrift versions, Cassandra should be updated to use 0.14.0
Attachments
Issue Links
- fixes
-
CASSANDRA-15420 CVE-2019-0205(Apache Thrift all versions up to and including 0.12.0) on version Cassendra 3.11.4
- Resolved
-
CASSANDRA-15424 CVE-2018-1320 (The libthrift component is vulnerable to Improper Access Control)
- Resolved