{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-12-01T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-04T19:57:01.000Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://grokbase.com/t/thrift/user/15c2tss3td/notice-apache-thrift-security-vulnerability-cve-2015-1774"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://issues.apache.org/jira/browse/THRIFT-3231"}, {"name": "99112", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/99112"}, {"name": "[thrift-user] 20151210 Re: [NOTICE]: Apache Thrift Security Vulnerability CVE-2015-1774", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://mail-archives.apache.org/mod_mbox/thrift-user/201512.mbox/%3CCANyrgvcjvEcjTVmaL+tVXCBm4o5G+1neu=MUubD9GbU85bO_Ew%40mail.gmail.com%3E"}, {"name": "RHSA-2017:2477", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2477"}, {"name": "RHSA-2017:3115", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:3115"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T05:39:32.050Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://grokbase.com/t/thrift/user/15c2tss3td/notice-apache-thrift-security-vulnerability-cve-2015-1774"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://issues.apache.org/jira/browse/THRIFT-3231"}, {"name": "99112", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/99112"}, {"name": "[thrift-user] 20151210 Re: [NOTICE]: Apache Thrift Security Vulnerability CVE-2015-1774", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://mail-archives.apache.org/mod_mbox/thrift-user/201512.mbox/%3CCANyrgvcjvEcjTVmaL+tVXCBm4o5G+1neu=MUubD9GbU85bO_Ew%40mail.gmail.com%3E"}, {"name": "RHSA-2017:2477", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2477"}, {"name": "RHSA-2017:3115", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:3115"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-3254", "datePublished": "2017-06-16T22:00:00.000Z", "dateReserved": "2015-04-10T00:00:00.000Z", "dateUpdated": "2024-08-06T05:39:32.050Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:thrift:*:*:*:*:*:*:*:*", "matchCriteriaId": "3021F602-A471-49B9-8B42-4946C2156CE6", "versionEndIncluding": "0.9.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function."}, {"lang": "es", "value": "Las bibliotecas cliente de Apache Thrift anteriores a la versi\u00f3n 0.9.3 podr\u00edan permitir que los usuarios remotos autenticados causen una denegaci\u00f3n de servicio (recursi\u00f3n infinita) a trav\u00e9s de vectores que implican la funci\u00f3n skip."}], "id": "CVE-2015-3254", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-06-16T22:29:00.180", "references": [{"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://grokbase.com/t/thrift/user/15c2tss3td/notice-apache-thrift-security-vulnerability-cve-2015-1774"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/99112"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2017:2477"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2017:3115"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/THRIFT-3231"}, {"source": "secalert@redhat.com", "url": "https://mail-archives.apache.org/mod_mbox/thrift-user/201512.mbox/%3CCANyrgvcjvEcjTVmaL+tVXCBm4o5G+1neu=MUubD9GbU85bO_Ew%40mail.gmail.com%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://grokbase.com/t/thrift/user/15c2tss3td/notice-apache-thrift-security-vulnerability-cve-2015-1774"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/99112"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2017:2477"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2017:3115"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/THRIFT-3231"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://mail-archives.apache.org/mod_mbox/thrift-user/201512.mbox/%3CCANyrgvcjvEcjTVmaL+tVXCBm4o5G+1neu=MUubD9GbU85bO_Ew%40mail.gmail.com%3E"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2017:3115", "cpe": "cpe:/a:redhat:jboss_amq:6.3", "package": "camel", "product_name": "Red Hat JBoss A-MQ 6.3", "release_date": "2017-11-02T00:00:00Z"}, {"advisory": "RHSA-2017:2477", "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.3", "package": "libthrift", "product_name": "Red Hat JBoss Data Virtualization 6.3", "release_date": "2017-08-15T00:00:00Z"}, {"advisory": "RHSA-2017:3115", "cpe": "cpe:/a:redhat:jboss_fuse:6.3", "package": "camel", "product_name": "Red Hat JBoss Fuse 6.3", "release_date": "2017-11-02T00:00:00Z"}], "bugzilla": {"description": "thrift: Infinite recursion via vectors involving the skip function", "id": "1462783", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462783"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-835", "details": ["The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function.", "A vulnerability was discovered in Apache Thrift client libraries that allows remote, authenticated attackers to cause an infinite recursion via vectors involving the skip function; resulting in a denial of service (DoS) condition."], "name": "CVE-2015-3254", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Will not fix", "package_name": "thrift", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Out of support scope", "package_name": "libthrift", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Will not fix", "package_name": "libthrift", "product_name": "Red Hat OpenShift Enterprise 2"}, {"cpe": "cpe:/a:redhat:openshift:3", "fix_state": "Not affected", "package_name": "libthrift", "product_name": "Red Hat OpenShift Enterprise 3"}], "public_date": "2015-07-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-3254\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-3254"], "threat_severity": "Moderate"}

{}