Home / Early Warning / Vulnerabilidades / CVE-2019-12410

CVE-2019-12410

Type: 
NULL Pointer Dereference
Severity: 
Medium
Publication date: 
11/08/2019
Last modified: 
11/13/2019
Description
While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory could potentially be shared if are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.
Impact
Access Vector: Through network
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: No impact on system integrity + No impact on system confidentiality + Partially affects on system availability
Vulnerable software and versions
  • cpe:2.3:a:apache:arrow:*:*:*:*:*:*:*:*
To consult the complete list of products and versions see this page
Explanation of fields