CVE-2018-11798

CWE-538 CWE-284 — Improper Access Control CWE-22 — Path Traversal10 documents7 sources

Severity

6.5MEDIUM

EPSS

0.5%

top 32.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Thrift Apache Software Foundation Apache Thrift

Timeline

PublishedJan 7

Latest updateJan 17

Description

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶Mavenorg.apache.thrift:libthrift0.9.2 — 0.12.0

▶NVDapache/thrift0.9.2 — 0.11.0

▶CVEListV5apache_software_foundation/apache_thriftApache Thrift 0.9.2 to 0.11.0

▶Debianthrift< 0.11.0-4+3

🔴Vulnerability Details

OSV

Apache Thrift Node.js static web server sandbox escape↗2019-01-17

▶

GHSA

Apache Thrift Node.js static web server sandbox escape↗2019-01-17

▶

CVEList

CVE-2018-11798: The Apache Thrift Node↗2019-01-07

▶

OSV

CVE-2018-11798: The Apache Thrift Node↗2019-01-07

▶

📋Vendor Advisories

Red Hat

thrift: Improper Access Control grants access to files outside the webservers docroot path↗2018-10-05

▶

Debian

CVE-2018-11798: thrift - The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 hav...↗2018

▶

💬Community

Bugzilla

CVE-2018-11798 thrift: Improper Access Control grants access to files outside the webservers docroot path [fedora-all]↗2019-01-17

▶

Bugzilla

CVE-2018-11798 thrift: Improper Access Control grants access to files outside the webservers docroot path [epel-7]↗2019-01-17

▶

Bugzilla

CVE-2018-11798 thrift: Improper Access Control grants access to files outside the webservers docroot path↗2019-01-17

▶