PT-2019-12791 · Apache · Apache Arrow

Published

2019-11-08

Updated

2022-05-24

CVE-2019-12410

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Apache Arrow versions 0.12.0 through 0.14.1

Description The issue arises when reading RLE null data from parquet, resulting in uninitialized Array data being left in memory. This affects the C++, Python, Ruby, and R implementations of Apache Arrow. The uninitialized memory could potentially be shared if transmitted over the wire or persisted in streaming IPC and file formats.

Recommendations For Apache Arrow versions 0.12.0 through 0.14.1, update to a version that initializes memory properly when reading RLE null data from parquet to prevent potential data sharing issues.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-909

Related Identifiers

CVE-2019-12410

GHSA-CJW4-2W9R-R8MV

PYSEC-2019-196

Affected Products

Apache Arrow

PT-2019-12791 · Apache · Apache Arrow

CVE-2019-12410

Weakness Enumeration

Related Identifiers

Affected Products

References · 13