Miggo Logo
Miggo Vulnerability Database
CVE-2018-1320

CVE-2018-1320: Improper Input Validation in Apache Thrift

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2018-1320
GHSA ID
GHSA-wjxj-f8rg-99wx
EPSS Score
0.30593%
CWE
CWE-20
Published
1/17/2019
Updated
3/4/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.thrift:libthriftmaven>= 0.5.0, < 0.9.3-10.9.3-1
org.apache.thrift:libthriftmaven>= 0.10.0, < 0.12.00.12.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from using a Java assert statement to validate() SASL handshake completion in TSaslTransport.java. Assertions are not enabled in production environments by default (-ea JVM flag required), making this validation ineffective. The patch (THRIFT-4506) removed this assertion and modified control flow to properly enforce validation. The commit diff and CVE description both explicitly reference this assertion as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** T*ri*t J*v* *li*nt li*r*ry v*rsions *.*.* prior to *.*.*-* *n* *.**.* prior to *.**.* **n *yp*ss S*SL n**oti*tion is*ompl*t* v*li**tion in t** or*.*p****.t*ri*t.tr*nsport.TS*slTr*nsport *l*ss. *n *ss*rt us** to **t*rmin* i* t** S*SL **n*s**k*

Reasoning

T** vuln*r**ility st*mm** *rom usin* * J*v* *ss*rt st*t*m*nt to `v*li**t*()` S*SL **n*s**k* *ompl*tion in `TS*slTr*nsport.j*v*`. *ss*rtions *r* not *n**l** in pro*u*tion *nvironm*nts *y ****ult (-** JVM *l** r*quir**), m*kin* t*is `v*li**tion` in****