VYPR
← All advisories
High severityNVD Advisory· Published Jan 7, 2019· Updated Aug 5, 2024

CVE-2018-1320

CVE-2018-1320

Description

Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Thrift Java client library versions 0.5.0 through 0.11.0 bypass SASL handshake validation due to a disabled assert, allowing unauthenticated access.

Vulnerability

Apache Thrift Java client library versions 0.5.0 through 0.11.0 contain a vulnerability in the org.apache.thrift.transport.TSaslTransport class [1][2]. The SASL negotiation isComplete validation relies on an assert statement, which is disabled in production builds, making the handshake completion check ineffective [2]. This allows incomplete or failed SASL negotiations to be treated as successful.

Exploitation

An attacker positioned as a network intermediary or acting as a rogue client can send a crafted SASL handshake that never completes, yet the disabled assert will not enforce the isComplete check [2]. No authentication credentials are needed; the attacker only needs to initiate a connection to a Thrift service using the vulnerable client library.

Impact

Successful exploitation bypasses SASL authentication, potentially allowing an unauthenticated attacker to gain access to resources or execute operations intended only for authenticated users [1][2]. The impact depends on the specific Thrift service configuration, but it can lead to unauthorized data access or privilege escalation.

Mitigation

The fix is included in Apache Thrift version 0.9.3.1 and later releases [2][4]. Users should upgrade to at least version 0.9.3.1 or the latest stable release [3]. No workaround is available for earlier versions [2].

References
  1. NVD - CVE-2018-1320
  2. [THRIFT-4506] [CVE-2018-1320] Remove assertion in Java SASL code that would be ignored in release builds
  3. GitHub - apache/thrift: Apache Thrift
  4. Release Version 0.9.3.1 · apache/thrift

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.thrift:libthriftMaven
>= 0.5.0, < 0.9.3-10.9.3-1
org.apache.thrift:libthriftMaven
>= 0.10.0, < 0.12.00.12.0

Affected products

6

Patches

2
7489ed6ac8ba

THRIFT-4506: fix use of assert for correctness in Java SASL negotiation

https://github.com/apache/thriftJames E. King IIIMar 5, 2018via ghsa
commit
1 file changed · +1 3
  • lib/java/src/org/apache/thrift/transport/TSaslTransport.java+1 3 modified
    @@ -287,16 +287,14 @@ public void open() throws TTransportException {
         if (message.status == NegotiationStatus.COMPLETE &&
             getRole() == SaslRole.CLIENT) {
           LOGGER.debug("{}: All done!", getRole());
-          break;
+          continue;
         }
 
         sendSaslMessage(sasl.isComplete() ? NegotiationStatus.COMPLETE : NegotiationStatus.OK,
                         challenge);
       }
       LOGGER.debug("{}: Main negotiation loop complete", getRole());
 
-      assert sasl.isComplete();
-
       // If we're the client, and we're complete, but the server isn't
       // complete yet, we need to wait for its response. This will occur
       // with ANONYMOUS auth, for example, where we send an initial response
d973409661f8

THRIFT-4506: fix use of assert for correctness in Java SASL negotiation

https://github.com/apache/thriftJames E. King IIIMar 5, 2018via ghsa
commit
1 file changed · +1 3
  • lib/java/src/org/apache/thrift/transport/TSaslTransport.java+1 3 modified
    @@ -287,16 +287,14 @@ public void open() throws TTransportException {
         if (message.status == NegotiationStatus.COMPLETE &&
             getRole() == SaslRole.CLIENT) {
           LOGGER.debug("{}: All done!", getRole());
-          break;
+          continue;
         }
 
         sendSaslMessage(sasl.isComplete() ? NegotiationStatus.COMPLETE : NegotiationStatus.OK,
                         challenge);
       }
       LOGGER.debug("{}: Main negotiation loop complete", getRole());
 
-      assert sasl.isComplete();
-
       // If we're the client, and we're complete, but the server isn't
       // complete yet, we need to wait for its response. This will occur
       // with ANONYMOUS auth, for example, where we send an initial response

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

50

News mentions

0

No linked articles in our index yet.