CVE-2020-13949 Details

CVE-2020-13949

Published: 2021-02-12
Last Modified: 2021-10-04
CVE Author: NIST National Vulnerability Database
CVE Assigner: security@apache.org
Summary

In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

Analysis
Common Vulnerability Score System v2.0
Severity Medium
Base Score 5/10
Exploit Score 10/10
Access Vector Network
Access Complexity Low
Authentication None
Impact Score 2.9/10
Confidentiality Impact None
Availability Impact Partial
Integrity Impact None
Vector String AV:N/AC:L/Au:N/C:N/I:N/A:P
Common Vulnerability Score System v3.1
Severity High
Base Score 7.5/10
Exploit Score 3.9/10
Access Vector Network
Access Complexity Low
Privileges Required None
Impact Score 3.6/10
Confidentiality Impact None
Availability Impact High
Integrity Impact None
Scope Unchanged
User Interaction None
Vector String CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Products Reported
CPE Vulnerable Start Excluding
cpe:2.3:a:apache:hive:*:*:*:*:*:*:*:* Yes - 4.0.0
cpe:2.3:a:apache:thrift:*:*:*:*:*:*:*:* Yes 0.9.3 -
cpe:2.3:a:oracle:communications_cloud_native_core_network_sl Yes - -
References

https://lists.apache.org/thread.html/r43dc2b2e928e9d845b07ac075634cb759d91bb852421dc282f
https://lists.apache.org/thread.html/r3a1291a7ab8ee43db87cb0253371489810877028fc6e7c68dc
https://lists.apache.org/thread.html/r27b7d3d95ffa8498899ef1c9de553d469f8fe857640a3f6e58
https://lists.apache.org/thread.html/r143ca388b0c83fe659db14be76889d50b453b0ee06f423181f
https://lists.apache.org/thread.html/r515e01a30443cfa2dbb355c44c63149869afd684fb7b0344c5
https://lists.apache.org/thread.html/r93f23f74315e009f4fb68ef7fc794dceee42cf87fe6613814d
https://lists.apache.org/thread.html/rd78cdd87d84499a404202f015f55935db3658bd0983ecec81e
https://lists.apache.org/thread.html/rd49d53b146d94a7d3a135f6b505589655ffec24ea470e345d3
https://lists.apache.org/thread.html/r3f3e1d562c528b4bafef2dde51f79dd444a4b68ef24920d680
https://lists.apache.org/thread.html/r2d180180f37c2ab5cebd711d080d01d8452efa8ad43c5d9cd7
https://lists.apache.org/thread.html/r89fdd39965efb7c6d22bc21c286d203252cea476e1782724ac
https://lists.apache.org/thread.html/rbc5cad06a46d23253a3c819229efedecfc05f89ef53f5fdde7
https://lists.apache.org/thread.html/r02f7771863383ae993eb83cdfb70c3cb65a355c913242c850f
https://lists.apache.org/thread.html/r7ae909438ff5a2ffed9211e6ab0bd926396fd0b1fc33f31a40
https://lists.apache.org/thread.html/rf603d25213cfff81d6727c259328846b366fd32a4310763752
https://lists.apache.org/thread.html/r6990c849aeafe65366794bfd002febd47b7ffa8cf3c059b400
https://lists.apache.org/thread.html/r298a25228868ebc0943d56c8f3641212a0962d2dbcf1507d58
https://lists.apache.org/thread.html/rf741d08c7e0ab1542c81ea718467422bd01159ed284796a36a
https://lists.apache.org/thread.html/r278e96edc4bc13efb2cb1620a73e48f569162b833c6bda3e6e
https://lists.apache.org/thread.html/r421a9a76811c1aed7637b5fe5376ab14c09ccdd7b70d5211d6
https://lists.apache.org/thread.html/r1fb2d26b81c64ce96c4fd42b9e6842ff315b02c36518213b6c
https://lists.apache.org/thread.html/r286e9a13d3ab0550042997219101cb87871834b8d5ec293b0c
https://lists.apache.org/thread.html/r117d5d2b08d505b69558a2a31b0a1cf8990cd0385060b147e7
https://lists.apache.org/thread.html/r2f6a547f226579f542eb08793631d1f2d47d7aed7e2f9d11a4
https://lists.apache.org/thread.html/r449288f6a941a2585262e0f4454fdefe169d5faee33314f6f8
https://lists.apache.org/thread.html/r01b34416677f1ba869525e1b891ac66fa6f88c024ee4d7cdea
https://lists.apache.org/thread.html/r3550b61639688e0efbc253c6c3e6358851c1f053109f1c1493
https://lists.apache.org/thread.html/r890b8ec5203d70a59a6b1289420d46938d9029ed706aa72497
https://lists.apache.org/thread.html/r2ed66a3823990306b742b281af1834b9bc85f98259c870b8ff
https://lists.apache.org/thread.html/r587b4a5bcbc290269df0906bafba074f3fe4e50d4e959212f5
https://lists.apache.org/thread.html/rcdf62ecd36e39e4ff9c61802eee4927ce9ecff1602eed14939
https://lists.apache.org/thread.html/r1504886a550426d3c05772c47b1a6350c3235e51fd1fdffbec
https://lists.apache.org/thread.html/rf65df763f630163a3f620887efec082080555cee1adb0b8eaf
https://lists.apache.org/thread.html/rdc8e0f92d06decaee5db58de4ded16d80016a7db2240a8db17
https://lists.apache.org/thread.html/r191a9279e2863b68e5496ee4ecd8be0d4fe43b324b934f0d1f
https://lists.apache.org/thread.html/r0372f0af2dad0b76fbd7a6cfdaad29d50384ad48dda475a502
https://lists.apache.org/thread.html/r850522c56c05aa06391546bdb530bb8fc3437f2b77d16e571a
https://lists.apache.org/thread.html/r02ba8db500d15a5949e9a7742815438002ba1cf1b361bdda52
https://lists.apache.org/thread.html/r3e31ec7e8c39db7553be4f4fd4d27cf27c41f1ba9c985995c4
https://lists.apache.org/thread.html/r3f97dbbbb1b2a7324521208bb595392853714e141a37b8f68d
https://lists.apache.org/thread.html/r8dfbefcd606af6737b62461a45a9af9222040b62eab474ff22
https://lists.apache.org/thread.html/r668aed02e287c93403e0b8df16089011ee4a96afc8f479809f
https://lists.apache.org/thread.html/ra7371efd8363c1cd0f5331aafd359a808cf7277472b8616d7b
https://lists.apache.org/thread.html/rf568168e7f83871969928c0379813da6d034485f8b20fa7388
https://lists.apache.org/thread.html/r18732bb1343894143d68db58fe4c8f56d9cd221b37f1378ed7
https://lists.apache.org/thread.html/rc896ce7761999b088f3adabcb99dde2102b6a66130b8eec6c8
https://lists.apache.org/thread.html/rc7a79b08822337c68705f16ee7ddcfd352313b836e78a4b86c
https://lists.apache.org/thread.html/r6c5b7324274fd361b038c5cc316e99344b7ae20beae7163214
https://lists.apache.org/thread.html/rae95c2234b6644bfd666b2671a1b42a09f38514d0f27cca3c7
https://lists.apache.org/thread.html/race178e9500ab8a5a6112667d27c48559150cadb60f2814bc6
https://lists.apache.org/thread.html/r1456eab5f3768be69436d5b0a68b483eb316eb85eb3ef6eba1
https://lists.apache.org/thread.html/r3de0e0c26d4bd00dd28cab27fb44fba11d1c1d20275f7cce71
https://lists.apache.org/thread.html/r7597683cc8b87a31ec864835225a543dad112d7841bf1f17bf
https://lists.apache.org/thread.html/rfbb01bb85cdc2022f3b96bdc416dbfcb49a2855b3a340aa88b
https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a
https://lists.apache.org/thread.html/r9b51e7c253cb0989b4c03ed9f4e5f0478e427473357209ccc4
https://lists.apache.org/thread.html/r1dea91f0562e0a960b45b1c5635b2a47b258b77171334276bc
https://lists.apache.org/thread.html/rb3574bc1036b577b265be510e6b208f0a5d5d84cd7198347dc
https://lists.apache.org/thread.html/r409e296c890753296c544a74d4de0d4a3ce719207a5878262f
https://lists.apache.org/thread.html/rb44ec04e5a9b1f87fef97bb5f054010cbfaa3b8586472a3a38
https://lists.apache.org/thread.html/r699c031e6921b0ad0f943848e7ba1d0e88c953619d47908618
https://lists.apache.org/thread.html/r74eb88b422421c65514c23cb9c2b2216efb9254317ea1b6a26
https://lists.apache.org/thread.html/rada9d2244a66ede0be29afc5d5f178a209f9988db56b9b845d
https://lists.apache.org/thread.html/rad635e16b300cf434280001ee6ecd2ed2c70987bf16eb862bf
https://lists.apache.org/thread.html/ra3f7f06a1759c8e2985ed24ae2f5483393c744c1956d661adc
https://lists.apache.org/thread.html/rd370fdb419652c5219409b315a6349b07a7e479bd3f151e9a5
https://lists.apache.org/thread.html/rc48ab5455bdece9a4afab53ca0f1e4f742d5baacb241323454
https://lists.apache.org/thread.html/r08a7bd19470ef8950d58cc9d9e7b02bc69c43f56c601989a77
https://lists.apache.org/thread.html/rdcf00186c34d69826d9c6b1f010136c98b00a586136de0061f
https://lists.apache.org/thread.html/r4fa53eacca2ac38904f38dc226caebb3f2f668b2da887f2fd4
https://lists.apache.org/thread.html/ra9f7c755790313e1adb95d29794043fb102029e803daf4212a
https://lists.apache.org/thread.html/r13f40151513ff095a44a86556c65597a7e55c00f5e19764a05
https://lists.apache.org/thread.html/r886b6d9a89b6fa0aafbf0a8f8f14351548d6c6f027886a3646
https://lists.apache.org/thread.html/rb91c32194eb5006f0b0c8bcdbd512c13495a1b277d4d51d456
https://lists.apache.org/thread.html/r15eed5d21e16a5cce810c1e096ffcffc36cd08c2f78ce2f9b2
https://lists.apache.org/thread.html/rcace846f74ea9e2af2f7c30cef0796724aa74089f109c8029b
https://lists.apache.org/thread.html/r635133a74fa07ef3331cae49a9a088365922266edd58099a61
https://lists.apache.org/thread.html/rbfbb81e7fb5d5009caf25798f02f42a7bd064a316097303ba2
https://lists.apache.org/thread.html/raea1bb8cf2eb39c5e10543f547bdbbdbb563c2ac6377652f16
https://lists.apache.org/thread.html/r8897a41f50d4eb19b268bde99328e943ba586f77779efa6de7
https://lists.apache.org/thread.html/r179119bbfb5610499286a84c316f6789c5afbfa5340edec6eb
https://lists.apache.org/thread.html/rc7a241e0af086b226ff9ccabc4a243d206f0f887037994bfd8
https://lists.apache.org/thread.html/rb51977d392b01434b0b5df5c19b9ad5b6178cfea59e676c14f
https://lists.apache.org/thread.html/rcae4c66f67e701db44d742156dee1f3e5e4e07ad7ce10c740a
https://lists.apache.org/thread.html/r741364444c3b238ab4a161f67f0d3a8f68acc517a39e6a93aa
https://lists.apache.org/thread.html/r36581cc7047f007dd6aadbdd34e18545ec2c1eb7ccdae6dd47
https://lists.apache.org/thread.html/r950ced188d62320fdb84d9e2c6ba896328194952eff7430c4f
https://lists.apache.org/thread.html/r62aa6d07b23095d980f348d330ed766560f9a9e940fec051f5
https://lists.apache.org/thread.html/r12090c81b67d21a814de6cf54428934a5e5613fde222759bbb
https://lists.apache.org/thread.html/r20f6f8f8cf07986dc5304baed3bf4d8a1c4cf135ff6fe3640b
https://security.gentoo.org/glsa/202107-32
https://www.oracle.com//security-alerts/cpujul2021.html
https://lists.apache.org/thread.html/r4d90b6d8de9697beb38814596d3a0d4994fa9aba1f6731a2c6
https://lists.apache.org/thread.html/r869331422580d35b4e65bd74cf3090298c4651bf4f31bfb19a
https://lists.apache.org/thread.html/r90b4473950e26607ed77f3d70f120166f6a36a3f80888e4eea
https://lists.apache.org/thread.html/rd0734d91f16d5b050f0bcff78b4719300042a34fadf5e52d0e
https://lists.apache.org/thread.html/r533a172534ae67f6f17c4d33a1b814d3d5ada9ccd4eb442249
https://lists.apache.org/thread.html/r72c3d1582d50b2ca7dd1ee97e81c847a5cf3458be26d42653c
https://lists.apache.org/thread.html/rf75979ae0ffd526f3afa935a8f0ee13c82808ea8b2bc0325eb
https://lists.apache.org/thread.html/r17cca685ad53bc8300ee7fcfe874cb784a222343f217dd076e
https://lists.apache.org/thread.html/r812915ecfa541ad2ca65c68a97b2c014dc87141dfaefc4de85
https://lists.apache.org/thread.html/r196409cc4df929d540a2e66169104f2b3b258d8bd96b5f083c
https://lists.apache.org/thread.html/r1084a911dff90b2733b442ee0f5929d19b168035d447f2d25f
https://lists.apache.org/thread.html/r6ba4f0817f98bf7c1cb314301cb7a24ba11a0b3e7a5be8b0ae
https://lists.apache.org/thread.html/r9ec75f690dd60fec8621ba992290962705d5b7f0d8fd0a42fa
https://lists.apache.org/thread.html/r6ae3c68b0bfe430fb32f24236475276b6302bed625b23f53b6
https://lists.apache.org/thread.html/r995b945cc8f6ec976d8c52d42ba931a688b45fb32cbdde715b

CVE ID
CVE-2020-13949
Published
2021-02-12
Modified
2021-10-04
CVSSv2.0
Medium
CVSSv3.1
High
PCI Compliance
Pass
US-CERT Alert
No
CWE
CWE-400

Free Vulnerability Scanning, Assessment and Management

Mageni's Platform is packed with all the features you need to scan, assess and manage vulnerabilities like this - it is free, open source, lightning fast, reliable and scalable.

Router
Servers
Laptop
Database
Group
Cloud

Frequently Asked Questions

No, you can scan concurrently as many assets as you want. Please note that you must be aware of the hardware requeriments of the platform to ensure a good performance.

No, you can add as many assest as you want. It doesn't matters if you have millions of assets, we won't charge you for that.

No. The software is completely free. We have no intention to charge you to use the software, in fact - it completely goes against our beliefs and business model.

A vulnerability is defined in the ISO 27002 standard as “A weakness of an asset or group of assets that can be exploited by one or more threats” (International Organization for Standardization, 2005)

We generate revenue by providing support and other services for customers that require a subscription so they get guaranteed support and enterprise services. To use Mageni's Platform is completely free, with no limits at all.

Yes. Mageni understands that there are professionals and businesses that need commercial support so Mageni provides an active support subscription with everything needed to run Mageni's Platform reliably and securely. More than software, it's access to security experts, knowledge resources, security updates, and support tools you can't get anywhere else. The subscription includes:

  • Ongoing delivery
    • Patches
    • Bug fixes
    • Updates
    • Upgrades
  • Technical support
    • 24/7 availability
    • Unlimited Incidents
    • Specialty-based routing
    • Multi-Channel
  • Commitments
    • Software certifications
    • Software assurance
    • SLA

No, we don't store the information of your vulnerabilities in our servers.

Vulnerability management is the process in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management of an organization. The term vulnerability management is often confused with vulnerability scanning. Despite the fact both are related, there is an important difference between the two. Vulnerability scanning consists of using a computer program to identify vulnerabilities in networks, computer infrastructure or applications. Vulnerability management is the process surrounding vulnerability scanning, also taking into account other aspects such as risk acceptance, remediation etc. Source: "Implementing a Vulnerability Management Process". SANS Institute.

I am ready to start scanning for vulnerabilities