{
  "threat_severity" : "Important",
  "public_date" : "2016-07-04T00:00:00Z",
  "bugzilla" : {
    "description" : "thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands",
    "id" : "1544620",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1544620"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.8",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-78",
  "details" : [ "The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0." ],
  "statement" : "libthrift is a library used by OpenDaylight which is shipped with Red Hat OpenStack. Whilst the version of the library used contains the vulnerable code it is not used by OpenDaylight and hence not exposed.\nJBoss fuse 6.3 ships libthrift via insight-activemq fabric-8 profile, however the vulnerable code is not used by fabric-8 so fuse 6.3 is not affected.",
  "affected_release" : [ {
    "product_name" : "Red Hat JBoss Data Virtualization 6.4.8",
    "release_date" : "2019-10-17T00:00:00Z",
    "advisory" : "RHSA-2019:3140",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6.4",
    "package" : "libthrift"
  }, {
    "product_name" : "Red Hat JBoss Fuse 7",
    "release_date" : "2018-09-11T00:00:00Z",
    "advisory" : "RHSA-2018:2669",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "camel"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "thrift",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Not affected",
    "package_name" : "karaf",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Integration Service 2",
    "fix_state" : "Affected",
    "package_name" : "libthrift",
    "cpe" : "cpe:/a:redhat:fuse_integration_services:2"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Not affected",
    "package_name" : "thrift",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat JBoss Operations Network 3",
    "fix_state" : "Not affected",
    "package_name" : "libthrift",
    "cpe" : "cpe:/a:redhat:jboss_operations_network:3"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 3",
    "fix_state" : "Not affected",
    "package_name" : "thrift",
    "cpe" : "cpe:/a:redhat:openshift:3"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Will not fix",
    "package_name" : "libthrift",
    "cpe" : "cpe:/a:redhat:openstack:10"
  }, {
    "product_name" : "Red Hat OpenStack Platform 11 (Ocata)",
    "fix_state" : "Will not fix",
    "package_name" : "libthrift",
    "cpe" : "cpe:/a:redhat:openstack:11"
  }, {
    "product_name" : "Red Hat OpenStack Platform 12 (Pike)",
    "fix_state" : "Will not fix",
    "package_name" : "libthrift",
    "cpe" : "cpe:/a:redhat:openstack:12"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Will not fix",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:13"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-5397\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-5397" ],
  "name" : "CVE-2016-5397",
  "csaw" : false
}