gsd-2019-12408
Vulnerability from gsd
Modified
2022-05-24 00:00
Details
It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.
Aliases
Aliases
CVE-2019-12408


To clipboard 

{
  "GSD": {
    "alias": "CVE-2019-12408",
    "description": "It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.",
    "id": "GSD-2019-12408"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "red-arrow",
            "purl": "pkg:gem/red-arrow"
          }
        }
      ],
      "aliases": [
        "CVE-2019-12408",
        "GHSA-8cw2-jv5c-c825"
      ],
      "details": "It was discovered that the C++ implementation (which underlies the R,\nPython and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized\nmemory bug when building arrays with null values in some cases. This can lead to\nuninitialized memory being unintentionally shared if Arrow Arrays are transmitted\nover the wire (for instance with Flight) or persisted in the streaming IPC and file\nformats.\n",
      "id": "GSD-2019-12408",
      "modified": "2022-05-24T00:00:00.000Z",
      "published": "2022-05-24T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"
        },
        {
          "type": "WEB",
          "url": "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 7.5,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Missing Initialization of Resource in Apache Arrow"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2019-12408",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Arrow",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Apache Arrow 0.14.0 to 0.14.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Information Disclosure"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E",
            "refsource": "CONFIRM",
            "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"
          },
          {
            "name": "[announce] 20191108 [CVE-2019-12408][CVE-2019-12410] Uninitialized Memory Vulnerabilities fixed in Apache Arrow 0.15.1",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2019-12408",
      "cvss_v3": 7.5,
      "date": "2022-05-24",
      "description": "It was discovered that the C++ implementation (which underlies the R,\nPython and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized\nmemory bug when building arrays with null values in some cases. This can lead to\nuninitialized memory being unintentionally shared if Arrow Arrays are transmitted\nover the wire (for instance with Flight) or persisted in the streaming IPC and file\nformats.\n",
      "gem": "red-arrow",
      "ghsa": "8cw2-jv5c-c825",
      "patched_versions": [
        "\u003e= 0.15.1"
      ],
      "related": {
        "url": [
          "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"
        ]
      },
      "title": "Missing Initialization of Resource in Apache Arrow",
      "unaffected_versions": [
        "\u003c 0.14.0"
      ],
      "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=0.14.0 \u003c=0.14.1",
          "affected_versions": "All versions starting from 0.14.0 up to 0.14.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-909",
            "CWE-937"
          ],
          "date": "2019-11-13",
          "description": "It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow has an uninitialized memory bug when building arrays with `null` values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.",
          "fixed_versions": [
            "0.15.0"
          ],
          "identifier": "CVE-2019-12408",
          "identifiers": [
            "CVE-2019-12408"
          ],
          "not_impacted": "All versions before 0.14.0, all versions after 0.14.1",
          "package_slug": "gem/red-arrow",
          "pubdate": "2019-11-08",
          "solution": "Upgrade to version 0.15.0 or above.",
          "title": "NULL Pointer Dereference",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-12408"
          ],
          "uuid": "bf4f0b78-13b3-4931-a7fa-662ae8fa4e54"
        },
        {
          "affected_range": "\u003e=0.14.0,\u003c0.15.1",
          "affected_versions": "All versions starting from 0.14.0 before 0.15.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-909",
            "CWE-937"
          ],
          "date": "2022-06-28",
          "description": "It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.",
          "fixed_versions": [
            "0.15.1"
          ],
          "identifier": "CVE-2019-12408",
          "identifiers": [
            "GHSA-8cw2-jv5c-c825",
            "CVE-2019-12408"
          ],
          "not_impacted": "All versions before 0.14.0, all versions starting from 0.15.1",
          "package_slug": "pypi/arrow",
          "pubdate": "2022-05-24",
          "solution": "Upgrade to version 0.15.1 or above.",
          "title": "Missing Initialization of Resource",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-12408",
            "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E",
            "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E",
            "https://github.com/advisories/GHSA-8cw2-jv5c-c825"
          ],
          "uuid": "44177710-30dc-492c-aeca-61d6f22c3e29"
        },
        {
          "affected_range": "\u003e=0.14.0,\u003c=0.14.1",
          "affected_versions": "All versions starting from 0.14.0 up to 0.14.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-909",
            "CWE-937"
          ],
          "date": "2019-11-13",
          "description": "Apache Arrow has an uninitialized memory bug when building arrays with `null` values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.",
          "fixed_versions": [
            "0.14.2"
          ],
          "identifier": "CVE-2019-12408",
          "identifiers": [
            "CVE-2019-12408"
          ],
          "not_impacted": "All versions before 0.14.0, all versions after 0.14.1",
          "package_slug": "pypi/pyarrow",
          "pubdate": "2019-11-08",
          "solution": "Upgrade to version 0.14.2 or above.",
          "title": "NULL Pointer Dereference",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-12408",
            "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E",
            "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"
          ],
          "uuid": "47830733-aaf3-46e1-9a3f-131b3a7b4a81"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:arrow:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "0.14.1",
                "versionStartIncluding": "0.14.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2019-12408"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-909"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E",
              "refsource": "CONFIRM",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"
            },
            {
              "name": "[announce] 20191108 [CVE-2019-12408][CVE-2019-12410] Uninitialized Memory Vulnerabilities fixed in Apache Arrow 0.15.1",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2020-08-24T17:37Z",
      "publishedDate": "2019-11-08T19:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.