PT-2019-12791 · Apache · Apache Arrow

Publicado

2019-11-08

Atualizado

2022-05-24

CVE-2019-12410

CVSS v4.0

8.7

Alta

Vetor

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Apache Arrow versions 0.12.0 through 0.14.1

Description The issue arises when reading RLE null data from parquet, resulting in uninitialized Array data being left in memory. This affects the C++, Python, Ruby, and R implementations of Apache Arrow. The uninitialized memory could potentially be shared if transmitted over the wire or persisted in streaming IPC and file formats.

Recommendations For Apache Arrow versions 0.12.0 through 0.14.1, update to a version that initializes memory properly when reading RLE null data from parquet to prevent potential data sharing issues.

Exploit

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-909

Identificadores relacionados

CVE-2019-12410

GHSA-CJW4-2W9R-R8MV

PYSEC-2019-196

Produtos afetados

Apache Arrow

PT-2019-12791 · Apache · Apache Arrow

CVE-2019-12410

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 13