CVE-2018-11798 - OpenCVE

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Thrift

Configuration 1 [-]

cpe:2.3:a:apache:thrift:*:*:*:*:*:node.js:*:*

References

Link	Resource
http://www.securityfocus.com/bid/106501	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2019:1545
https://access.redhat.com/errata/RHSA-2019:3140
https://lists.apache.org/thread.html/6e9edd282684896cedf615fb67a02bebfe6007f2d5baf03ba52e34fd%40%3Cuser.thrift.apache.org%3E
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2019-01-07T18:00:00

Updated: 2019-10-17T17:06:28

Reserved: 2018-06-05T00:00:00

Link: CVE-2018-11798

JSON object: View

NVD Information

Status : Modified

Published: 2019-01-07T17:29:00.283

Modified: 2023-11-07T02:51:48.120

Link: CVE-2018-11798

JSON object: View

Redhat Information

No data.

CWE

CWE-538

{"containers": {"cna": {"affected": [{"product": "Apache Thrift", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Apache Thrift 0.9.2 to 0.11.0"}]}], "datePublic": "2019-01-07T00:00:00", "descriptions": [{"lang": "en", "value": "The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path."}], "problemTypes": [{"descriptions": [{"description": "Improper Access Control", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-10-17T17:06:28", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "106501", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/106501"}, {"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/6e9edd282684896cedf615fb67a02bebfe6007f2d5baf03ba52e34fd%40%3Cuser.thrift.apache.org%3E"}, {"name": "RHSA-2019:1545", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1545"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}, {"name": "RHSA-2019:3140", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:3140"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2018-11798", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Thrift", "version": {"version_data": [{"version_value": "Apache Thrift 0.9.2 to 0.11.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "106501", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106501"}, {"name": "https://lists.apache.org/thread.html/6e9edd282684896cedf615fb67a02bebfe6007f2d5baf03ba52e34fd@%3Cuser.thrift.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/6e9edd282684896cedf615fb67a02bebfe6007f2d5baf03ba52e34fd@%3Cuser.thrift.apache.org%3E"}, {"name": "RHSA-2019:1545", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1545"}, {"name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "refsource": "MISC", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}, {"name": "RHSA-2019:3140", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:3140"}]}}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-11798", "datePublished": "2019-01-07T18:00:00", "dateReserved": "2018-06-05T00:00:00", "dateUpdated": "2019-10-17T17:06:28", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:thrift:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "9FF4098E-DE56-4E2D-9CB1-D95BF3419958", "versionEndIncluding": "0.11.0", "versionStartIncluding": "0.9.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path."}, {"lang": "es", "value": "El servidor web est\u00e1tico Node.js de Apache Thrift, desde su versi\u00f3n 0.9.2 hasta la 0.11.0, contiene una vulnerabilidad de seguridad en la que un usuario remoto tiene la capacidad de acceder a archivos fuera de la ruta webservers docroot predeterminada."}], "id": "CVE-2018-11798", "lastModified": "2023-11-07T02:51:48.120", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-01-07T17:29:00.283", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/106501"}, {"source": "security@apache.org", "url": "https://access.redhat.com/errata/RHSA-2019:1545"}, {"source": "security@apache.org", "url": "https://access.redhat.com/errata/RHSA-2019:3140"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/6e9edd282684896cedf615fb67a02bebfe6007f2d5baf03ba52e34fd%40%3Cuser.thrift.apache.org%3E"}, {"source": "security@apache.org", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-538"}], "source": "nvd@nist.gov", "type": "Primary"}]}