CVE-2016-5397
HIGH8.8EPSS 22.6%Apache Thrift Go Library Command Injection
Published: 5/13/2022Modified: 4/28/2026
Description
The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
Affected packages (2)
- Debian/thriftfrom 0, < 0.11.0-3
- Go/github.com/apache/thriftfrom 0, < 0.10.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-5397
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2016-5397
- WEBhttp://mail-archives.apache.org/mod_mbox/thrift-user/201701.mbox/raw/%3CCANyrgvc3W%3DMJ9S-hMZecPNzxkyfgNmuSgVfW2hdDSz5ke%2BOPhQ%40mail.gmail.com%3E
- WEBhttps://access.redhat.com/errata/RHSA-2018:2669
- WEBhttps://access.redhat.com/errata/RHSA-2019:3140
- WEBhttps://issues.apache.org/jira/browse/THRIFT-3893
- WEBhttps://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E
- WEBhttps://web.archive.org/web/20210124141102/http://www.securityfocus.com/bid/103025