Moderate severityNVD Advisory· Published Jan 7, 2019· Updated Aug 5, 2024
CVE-2018-11798
CVE-2018-11798
Description
The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.thrift:libthriftMaven | >= 0.9.2, < 0.12.0 | 0.12.0 |
Affected products
136- osv-coords135 versionspkg:apk/chainguard/trinopkg:apk/chainguard/trino-configpkg:apk/chainguard/trino-oci-entrypointpkg:apk/chainguard/trino-plugin-accumulopkg:apk/chainguard/trino-plugin-ai-functionspkg:apk/chainguard/trino-plugin-atoppkg:apk/chainguard/trino-plugin-bigquerypkg:apk/chainguard/trino-plugin-blackholepkg:apk/chainguard/trino-plugin-cassandrapkg:apk/chainguard/trino-plugin-clickhousepkg:apk/chainguard/trino-plugin-delta-lakepkg:apk/chainguard/trino-plugin-druidpkg:apk/chainguard/trino-plugin-duckdbpkg:apk/chainguard/trino-plugin-elasticsearchpkg:apk/chainguard/trino-plugin-example-httppkg:apk/chainguard/trino-plugin-exasolpkg:apk/chainguard/trino-plugin-exchange-filesystempkg:apk/chainguard/trino-plugin-exchange-hdfspkg:apk/chainguard/trino-plugin-fakerpkg:apk/chainguard/trino-plugin-functions-pythonpkg:apk/chainguard/trino-plugin-geospatialpkg:apk/chainguard/trino-plugin-google-sheetspkg:apk/chainguard/trino-plugin-hivepkg:apk/chainguard/trino-plugin-http-event-listenerpkg:apk/chainguard/trino-plugin-http-server-event-listenerpkg:apk/chainguard/trino-plugin-hudipkg:apk/chainguard/trino-plugin-icebergpkg:apk/chainguard/trino-plugin-ignitepkg:apk/chainguard/trino-plugin-jmxpkg:apk/chainguard/trino-plugin-kafkapkg:apk/chainguard/trino-plugin-kafka-event-listenerpkg:apk/chainguard/trino-plugin-kinesispkg:apk/chainguard/trino-plugin-kudupkg:apk/chainguard/trino-plugin-lakehousepkg:apk/chainguard/trino-plugin-ldap-group-providerpkg:apk/chainguard/trino-plugin-local-filepkg:apk/chainguard/trino-plugin-lokipkg:apk/chainguard/trino-plugin-mariadbpkg:apk/chainguard/trino-plugin-memorypkg:apk/chainguard/trino-plugin-mlpkg:apk/chainguard/trino-plugin-mongodbpkg:apk/chainguard/trino-plugin-mysqlpkg:apk/chainguard/trino-plugin-mysql-event-listenerpkg:apk/chainguard/trino-plugin-opapkg:apk/chainguard/trino-plugin-openlineagepkg:apk/chainguard/trino-plugin-opensearchpkg:apk/chainguard/trino-plugin-oraclepkg:apk/chainguard/trino-plugin-password-authenticatorspkg:apk/chainguard/trino-plugin-phoenix5pkg:apk/chainguard/trino-plugin-pinotpkg:apk/chainguard/trino-plugin-postgresqlpkg:apk/chainguard/trino-plugin-prometheuspkg:apk/chainguard/trino-plugin-rangerpkg:apk/chainguard/trino-plugin-raptor-legacypkg:apk/chainguard/trino-plugin-redispkg:apk/chainguard/trino-plugin-redshiftpkg:apk/chainguard/trino-plugin-resource-group-managerspkg:apk/chainguard/trino-plugin-session-property-managerspkg:apk/chainguard/trino-plugin-singlestorepkg:apk/chainguard/trino-plugin-snowflakepkg:apk/chainguard/trino-plugin-spooling-filesystempkg:apk/chainguard/trino-plugin-sqlserverpkg:apk/chainguard/trino-plugin-teradata-functionspkg:apk/chainguard/trino-plugin-thriftpkg:apk/chainguard/trino-plugin-tpcdspkg:apk/chainguard/trino-plugin-tpchpkg:apk/chainguard/trino-plugin-verticapkg:apk/wolfi/trinopkg:apk/wolfi/trino-configpkg:apk/wolfi/trino-oci-entrypointpkg:apk/wolfi/trino-plugin-accumulopkg:apk/wolfi/trino-plugin-ai-functionspkg:apk/wolfi/trino-plugin-atoppkg:apk/wolfi/trino-plugin-bigquerypkg:apk/wolfi/trino-plugin-blackholepkg:apk/wolfi/trino-plugin-cassandrapkg:apk/wolfi/trino-plugin-clickhousepkg:apk/wolfi/trino-plugin-delta-lakepkg:apk/wolfi/trino-plugin-druidpkg:apk/wolfi/trino-plugin-duckdbpkg:apk/wolfi/trino-plugin-elasticsearchpkg:apk/wolfi/trino-plugin-example-httppkg:apk/wolfi/trino-plugin-exasolpkg:apk/wolfi/trino-plugin-exchange-filesystempkg:apk/wolfi/trino-plugin-exchange-hdfspkg:apk/wolfi/trino-plugin-fakerpkg:apk/wolfi/trino-plugin-functions-pythonpkg:apk/wolfi/trino-plugin-geospatialpkg:apk/wolfi/trino-plugin-google-sheetspkg:apk/wolfi/trino-plugin-hivepkg:apk/wolfi/trino-plugin-http-event-listenerpkg:apk/wolfi/trino-plugin-http-server-event-listenerpkg:apk/wolfi/trino-plugin-hudipkg:apk/wolfi/trino-plugin-icebergpkg:apk/wolfi/trino-plugin-ignitepkg:apk/wolfi/trino-plugin-jmxpkg:apk/wolfi/trino-plugin-kafkapkg:apk/wolfi/trino-plugin-kafka-event-listenerpkg:apk/wolfi/trino-plugin-kinesispkg:apk/wolfi/trino-plugin-kudupkg:apk/wolfi/trino-plugin-lakehousepkg:apk/wolfi/trino-plugin-ldap-group-providerpkg:apk/wolfi/trino-plugin-local-filepkg:apk/wolfi/trino-plugin-lokipkg:apk/wolfi/trino-plugin-mariadbpkg:apk/wolfi/trino-plugin-memorypkg:apk/wolfi/trino-plugin-mlpkg:apk/wolfi/trino-plugin-mongodbpkg:apk/wolfi/trino-plugin-mysqlpkg:apk/wolfi/trino-plugin-mysql-event-listenerpkg:apk/wolfi/trino-plugin-opapkg:apk/wolfi/trino-plugin-openlineagepkg:apk/wolfi/trino-plugin-opensearchpkg:apk/wolfi/trino-plugin-oraclepkg:apk/wolfi/trino-plugin-password-authenticatorspkg:apk/wolfi/trino-plugin-phoenix5pkg:apk/wolfi/trino-plugin-pinotpkg:apk/wolfi/trino-plugin-postgresqlpkg:apk/wolfi/trino-plugin-prometheuspkg:apk/wolfi/trino-plugin-rangerpkg:apk/wolfi/trino-plugin-raptor-legacypkg:apk/wolfi/trino-plugin-redispkg:apk/wolfi/trino-plugin-redshiftpkg:apk/wolfi/trino-plugin-resource-group-managerspkg:apk/wolfi/trino-plugin-session-property-managerspkg:apk/wolfi/trino-plugin-singlestorepkg:apk/wolfi/trino-plugin-snowflakepkg:apk/wolfi/trino-plugin-spooling-filesystempkg:apk/wolfi/trino-plugin-sqlserverpkg:apk/wolfi/trino-plugin-teradata-functionspkg:apk/wolfi/trino-plugin-thriftpkg:apk/wolfi/trino-plugin-tpcdspkg:apk/wolfi/trino-plugin-tpchpkg:apk/wolfi/trino-plugin-verticapkg:maven/org.apache.thrift/libthrift
< 440-r0+ 134 more
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: >= 0.9.2, < 0.12.0
- Apache Software Foundation/Apache Thriftv5Range: Apache Thrift 0.9.2 to 0.11.0
Patches
Vulnerability mechanics
References
12- access.redhat.com/errata/RHSA-2019:1545ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:3140ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-vx85-mj8c-4qm6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-11798ghsaADVISORY
- www.securityfocus.com/bid/106501mitrevdb-entryx_refsource_BID
- github.com/apache/thrift/commit/2a2b72f6c8aef200ecee4984f011e06052288ff2ghsaWEB
- github.com/apache/thrift/pull/1606ghsaWEB
- issues.apache.org/jira/browse/THRIFT-4647ghsaWEB
- lists.apache.org/thread.html/6e9edd282684896cedf615fb67a02bebfe6007f2d5baf03ba52e34fd%40%3Cuser.thrift.apache.org%3Emitrex_refsource_MISC
- lists.apache.org/thread.html/6e9edd282684896cedf615fb67a02bebfe6007f2d5baf03ba52e34fd@%3Cuser.thrift.apache.org%3EghsaWEB
- web.archive.org/web/20200227094236/http://www.securityfocus.com/bid/106501ghsaWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.