CVE-2018-1320 - Improper Input Validation #4
Labels
CVSS: High
Status: Won't Fix
Use to signal that the issue is acknowledged, but it’s decided that the work will not be performed.
Type: Security
Comments
MGathier
added
CVSS: High
Status: Won't Fix
|
This is a server-side vulnerability. As Axon Server only uses Apache Thrift as a client to send to Jaeger, this vulnerability does not apply to Axon Server. Axon Server only uses libthrift when gRPC metrics are enabled and exported to Jaeger (axoniq.axonserver.metrics.grpc.jaeger-enabled=true). It is not possible to upgrade to a more recent version of libthrift, as this is not compatible with the jaeger client version. |
|
As of AS 2024.2.2 exporting to Jaeger is moved to an extension. Base code no longer contains the thrift library. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Apache Thrift Java client library versions 0.5.0 prior to 0.9.3-1 and 0.10.0 prior to 0.12.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class.
Found in libthrift 0.11.0, resolved in 0.12.0
The text was updated successfully, but these errors were encountered: