CVE-2019-12408

CWE-9096 documents5 sources

Severity

7.5HIGH

EPSS

3.3%

top 12.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Arrow Apache Software Foundation Apache Arrow

Timeline

PublishedNov 8

Latest updateMay 24

Description

It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDapache/arrow0.14.0 — 0.14.1

▶CVEListV5apache_software_foundation/apache_arrowApache Arrow 0.14.0 to 0.14.1

▶PyPIpyarrow0.14.0 — 0.15.0+1

▶RubyGemsred-arrow0.14.0 — 0.15.1

🔴Vulnerability Details

GHSA

Missing Initialization of Resource in Apache Arrow↗2022-05-24

▶

OSV

Missing Initialization of Resource in Apache Arrow↗2022-05-24

▶

OSV

CVE-2019-12408: It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0↗2019-11-08

▶

CVEList

CVE-2019-12408: It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0↗2019-11-08

▶

📋Vendor Advisories

Debian

CVE-2019-12408: apache-arrow - It was discovered that the C++ implementation (which underlies the R, Python and...↗2019

▶