CVE-2016-5397

CWE-77Command InjectionCWE-78OS Command Injection9 documents7 sources
Severity
8.8HIGH
EPSS
22.6%
top 4.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Apache/thriftApache ThriftApache Software Foundation Apache Thrift
Timeline
PublishedFeb 12
Latest updateMay 13

Description

The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

NVDapache/thrift0.9.3
CVEListV5apache_software_foundation/apache_thriftversions prior to 0.10.0
Debianthrift< 0.11.0-3+3

🔴Vulnerability Details

4
GHSA
Apache Thrift Go Library Command Injection2022-05-13
OSV
Apache Thrift Go Library Command Injection2022-05-13
OSV
CVE-2016-5397: The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool2018-02-12
CVEList
CVE-2016-5397: The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool2018-02-12

📋Vendor Advisories

2
Red Hat
thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands2016-07-04
Debian
CVE-2016-5397: thrift - The Apache Thrift Go client library exposed the potential during code generation...2016

💬Community

2
Bugzilla
CVE-2016-5397 thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands2018-02-13
Bugzilla
CVE-2016-5397 thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands [epel-all]2018-02-13