CVE-2021-24028

An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects. This issue affects Facebook Thrift prior to v2021.02.22.00.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/facebook/fbthrift/commit/bfda1efa547dce11a38592820916db01b05b9339	Patch Third Party Advisory
https://www.facebook.com/security/advisories/cve-2021-24028	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:facebook:thrift:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-04-14 00:15

Updated : 2021-04-21 15:38

NVD link : CVE-2021-24028

Mitre link : CVE-2021-24028

CVE.ORG link : CVE-2021-24028

JSON object : View

Products Affected

facebook

thrift

CWE

CWE-763

Release of Invalid Pointer or Reference

{"id": "CVE-2021-24028", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-04-14T00:15:13.057", "references": [{"url": "https://github.com/facebook/fbthrift/commit/bfda1efa547dce11a38592820916db01b05b9339", "tags": ["Patch", "Third Party Advisory"], "source": "cve-assign@fb.com"}, {"url": "https://www.facebook.com/security/advisories/cve-2021-24028", "tags": ["Vendor Advisory"], "source": "cve-assign@fb.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-763"}]}, {"type": "Secondary", "source": "cve-assign@fb.com", "description": [{"lang": "en", "value": "CWE-763"}]}], "descriptions": [{"lang": "en", "value": "An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects. This issue affects Facebook Thrift prior to v2021.02.22.00."}, {"lang": "es", "value": "Una liberaci\u00f3n no v\u00e1lida en la serializaci\u00f3n basada en tablas de Thrift puede causar que la aplicaci\u00f3n se bloquee o potencialmente resultar en una ejecuci\u00f3n de c\u00f3digo u otros efectos no deseados. Este problema afecta a Facebook Thrift versiones anteriores a v2021.02.22.00"}], "lastModified": "2021-04-21T15:38:52.500", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:facebook:thrift:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A18FDF19-9F34-428F-A9C3-BB2E870D080C", "versionEndExcluding": "2021.02.22.00"}], "operator": "OR"}]}], "sourceIdentifier": "cve-assign@fb.com"}