github - ghsa-cjw4-2w9r-r8mv

ghsa-cjw4-2w9r-r8mv

Vulnerability from github

Published

2022-05-24 17:00

Modified

2024-10-21 20:14

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Summary

Missing Initialization of Resource in Apache Arrow

Details

While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory could potentially be shared if are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyarrow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.12.0"
            },
            {
              "fixed": "0.15.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "red-arrow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.12.0"
            },
            {
              "fixed": "0.15.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-12410"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-909"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-28T14:36:30Z",
    "nvd_published_at": "2019-11-08T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory could potentially be shared if are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.",
  "id": "GHSA-cjw4-2w9r-r8mv",
  "modified": "2024-10-21T20:14:47Z",
  "published": "2022-05-24T17:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12410"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-cjw4-2w9r-r8mv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/arrow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyarrow/PYSEC-2019-196.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/red-arrow/CVE-2019-12410.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/11/08/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Missing Initialization of Resource in Apache Arrow"
}

gsd-2019-12410

Vulnerability from gsd

Modified

2022-05-24 00:00

Details

Aliases

CVE-2019-12410

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-12410",
    "description": "While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory could potentially be shared if are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.",
    "id": "GSD-2019-12410"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "red-arrow",
            "purl": "pkg:gem/red-arrow"
          }
        }
      ],
      "aliases": [
        "CVE-2019-12410",
        "GHSA-cjw4-2w9r-r8mv"
      ],
      "details": "While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365\nit was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data\nuninitialized when reading RLE null data from parquet. This affected the C++, Python,\nRuby and R implementations. The uninitialized memory could potentially be shared\nif are transmitted over the wire (for instance with Flight) or persisted in the\nstreaming IPC and file formats.\n",
      "id": "GSD-2019-12410",
      "modified": "2022-05-24T00:00:00.000Z",
      "published": "2022-05-24T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"
        },
        {
          "type": "WEB",
          "url": "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"
        },
        {
          "type": "WEB",
          "url": "http://www.openwall.com/lists/oss-security/2019/11/08/1"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 7.5,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Missing Initialization of Resource in Apache Arrow"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2019-12410",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Arrow",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Apache Arrow 0.12.0 to 0.14.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory could potentially be shared if are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Information Disclosure"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "[arrow-dev] 20191108 [CVE-2019-12408][CVE-2019-12410] Uninitialized Memory Vulnerabilities fixed in Apache Arrow 0.15.1",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"
          },
          {
            "name": "[oss-security] 20191107 [CVE-2019-12408][CVE-2019-12410] Uninitialized Memory Vulnerabilities fixed in Apache Arrow 0.15.1",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2019/11/08/1"
          },
          {
            "name": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E",
            "refsource": "CONFIRM",
            "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"
          },
          {
            "name": "[announce] 20191108 [CVE-2019-12408][CVE-2019-12410] Uninitialized Memory Vulnerabilities fixed in Apache Arrow 0.15.1",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2019-12410",
      "cvss_v3": 7.5,
      "date": "2022-05-24",
      "description": "While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365\nit was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data\nuninitialized when reading RLE null data from parquet. This affected the C++, Python,\nRuby and R implementations. The uninitialized memory could potentially be shared\nif are transmitted over the wire (for instance with Flight) or persisted in the\nstreaming IPC and file formats.\n",
      "gem": "red-arrow",
      "ghsa": "cjw4-2w9r-r8mv",
      "patched_versions": [
        "\u003e= 0.15.1"
      ],
      "related": {
        "url": [
          "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E",
          "http://www.openwall.com/lists/oss-security/2019/11/08/1"
        ]
      },
      "title": "Missing Initialization of Resource in Apache Arrow",
      "unaffected_versions": [
        "\u003c 0.12.0"
      ],
      "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=0.12.0 \u003c=0.14.1",
          "affected_versions": "All versions starting from 0.12.0 up to 0.14.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-909",
            "CWE-937"
          ],
          "date": "2019-11-13",
          "description": "Apache Arrow left memory Array data uninitialized when reading RLE null data from parquet. Python, Ruby and R implementations. The uninitialized memory could potentially be shared if are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.",
          "fixed_versions": [
            "0.15.0"
          ],
          "identifier": "CVE-2019-12410",
          "identifiers": [
            "CVE-2019-12410"
          ],
          "not_impacted": "All versions before 0.12.0, all versions after 0.14.1",
          "package_slug": "gem/red-arrow",
          "pubdate": "2019-11-08",
          "solution": "Upgrade to version 0.15.0 or above.",
          "title": "NULL Pointer Dereference",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-12410",
            "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E",
            "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"
          ],
          "uuid": "bbdf565d-5466-446f-bf52-5f36ec2de9c9"
        },
        {
          "affected_range": "\u003e=0.12.0,\u003c0.15.1",
          "affected_versions": "All versions starting from 0.12.0 before 0.15.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-909",
            "CWE-937"
          ],
          "date": "2022-06-28",
          "description": "While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory could potentially be shared if are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.",
          "fixed_versions": [
            "0.15.1"
          ],
          "identifier": "CVE-2019-12410",
          "identifiers": [
            "GHSA-cjw4-2w9r-r8mv",
            "CVE-2019-12410"
          ],
          "not_impacted": "All versions before 0.12.0, all versions starting from 0.15.1",
          "package_slug": "pypi/arrow",
          "pubdate": "2022-05-24",
          "solution": "Upgrade to version 0.15.1 or above.",
          "title": "Missing Initialization of Resource",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-12410",
            "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E",
            "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E",
            "http://www.openwall.com/lists/oss-security/2019/11/08/1",
            "https://github.com/advisories/GHSA-cjw4-2w9r-r8mv"
          ],
          "uuid": "46b88338-df24-46ae-b6cf-699fb346b725"
        },
        {
          "affected_range": "\u003e=0.12.0,\u003c=0.14.1",
          "affected_versions": "All versions starting from 0.12.0 up to 0.14.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-909",
            "CWE-937"
          ],
          "date": "2019-11-13",
          "description": "Apache Arrow versions leaves memory Array data uninitialized when reading RLE null data from parquet.",
          "fixed_versions": [
            "0.14.2"
          ],
          "identifier": "CVE-2019-12410",
          "identifiers": [
            "CVE-2019-12410"
          ],
          "not_impacted": "All versions before 0.12.0, all versions after 0.14.1",
          "package_slug": "pypi/pyarrow",
          "pubdate": "2019-11-08",
          "solution": "Upgrade to version 0.14.2 or above.",
          "title": "NULL Pointer Dereference",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-12410",
            "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E",
            "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"
          ],
          "uuid": "95fe52c7-4a26-43d2-a2f2-cb8a5b1311b1"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:arrow:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "0.14.1",
                "versionStartIncluding": "0.12.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2019-12410"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory could potentially be shared if are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-909"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"
            },
            {
              "name": "[oss-security] 20191107 [CVE-2019-12408][CVE-2019-12410] Uninitialized Memory Vulnerabilities fixed in Apache Arrow 0.15.1",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/11/08/1"
            },
            {
              "name": "[announce] 20191108 [CVE-2019-12408][CVE-2019-12410] Uninitialized Memory Vulnerabilities fixed in Apache Arrow 0.15.1",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2020-08-24T17:37Z",
      "publishedDate": "2019-11-08T19:15Z"
    }
  }
}

CVE-2019-12410 (GCVE-0-2019-12410)

Vulnerability from cvelistv5

Published

2019-11-08 18:04

Modified

2024-08-04 23:17

Severity ?

CWE

Information Disclosure

Summary

References

►

URL

Tags

	https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269%40%3Cdev.arrow.apache.org%3E	mailing-list, x_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2019/11/08/1	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269%40%3Cdev.arrow.apache.org%3E	x_refsource_CONFIRM
	https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073%40%3Cannounce.apache.org%3E	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Arrow	Version: Apache Arrow 0.12.0 to 0.14.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:17:40.008Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[arrow-dev] 20191108 [CVE-2019-12408][CVE-2019-12410] Uninitialized Memory Vulnerabilities fixed in Apache Arrow 0.15.1",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269%40%3Cdev.arrow.apache.org%3E"
          },
          {
            "name": "[oss-security] 20191107 [CVE-2019-12408][CVE-2019-12410] Uninitialized Memory Vulnerabilities fixed in Apache Arrow 0.15.1",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2019/11/08/1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269%40%3Cdev.arrow.apache.org%3E"
          },
          {
            "name": "[announce] 20191108 [CVE-2019-12408][CVE-2019-12410] Uninitialized Memory Vulnerabilities fixed in Apache Arrow 0.15.1",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073%40%3Cannounce.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Arrow",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "Apache Arrow 0.12.0 to 0.14.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory could potentially be shared if are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Information Disclosure",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-11-08T21:06:33",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "name": "[arrow-dev] 20191108 [CVE-2019-12408][CVE-2019-12410] Uninitialized Memory Vulnerabilities fixed in Apache Arrow 0.15.1",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269%40%3Cdev.arrow.apache.org%3E"
        },
        {
          "name": "[oss-security] 20191107 [CVE-2019-12408][CVE-2019-12410] Uninitialized Memory Vulnerabilities fixed in Apache Arrow 0.15.1",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2019/11/08/1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269%40%3Cdev.arrow.apache.org%3E"
        },
        {
          "name": "[announce] 20191108 [CVE-2019-12408][CVE-2019-12410] Uninitialized Memory Vulnerabilities fixed in Apache Arrow 0.15.1",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073%40%3Cannounce.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2019-12410",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Arrow",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Apache Arrow 0.12.0 to 0.14.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory could potentially be shared if are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information Disclosure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[arrow-dev] 20191108 [CVE-2019-12408][CVE-2019-12410] Uninitialized Memory Vulnerabilities fixed in Apache Arrow 0.15.1",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"
            },
            {
              "name": "[oss-security] 20191107 [CVE-2019-12408][CVE-2019-12410] Uninitialized Memory Vulnerabilities fixed in Apache Arrow 0.15.1",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2019/11/08/1"
            },
            {
              "name": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E",
              "refsource": "CONFIRM",
              "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"
            },
            {
              "name": "[announce] 20191108 [CVE-2019-12408][CVE-2019-12410] Uninitialized Memory Vulnerabilities fixed in Apache Arrow 0.15.1",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2019-12410",
    "datePublished": "2019-11-08T18:04:52",
    "dateReserved": "2019-05-28T00:00:00",
    "dateUpdated": "2024-08-04T23:17:40.008Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

pysec-2019-196

Vulnerability from pysec

Published

2019-11-08 19:15

Modified

2021-08-27 03:22

Details

Impacted products

Name	purl
pyarrow	pkg:pypi/pyarrow

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyarrow",
        "purl": "pkg:pypi/pyarrow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.12.0"
            },
            {
              "fixed": "0.15.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.12.0",
        "0.12.1",
        "0.13.0",
        "0.14.0",
        "0.14.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2019-12410",
    "GHSA-cjw4-2w9r-r8mv"
  ],
  "details": "While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory could potentially be shared if are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.",
  "id": "PYSEC-2019-196",
  "modified": "2021-08-27T03:22:16.568373Z",
  "published": "2019-11-08T19:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/11/08/1"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-cjw4-2w9r-r8mv"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

ghsa-cjw4-2w9r-r8mv

Vulnerability from github

gsd-2019-12410

Vulnerability from gsd

CVE-2019-12410 (GCVE-0-2019-12410)

Vulnerability from cvelistv5

pysec-2019-196

Vulnerability from pysec

Tags

Sightings

Nomenclature