Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN457 _____________________________________________________________________ DATE : 05/05/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Thrift versions prior to 0.23.0. ===================================================================== https://lists.apache.org/thread/1p7yl3w5dr9lm0d09lffof4myztbqswv https://lists.apache.org/thread/fj2j7zsbb3krk5lhy945w9mjd5jpky7y https://lists.apache.org/thread/9p1f1q6oflz0sp0t4wvbhzfj0j0t8dj5 _____________________________________________________________________ CVE-2026-43870: Apache Thrift: Node.js web_server.js multi-vulnerability Severity: important Affected versions: - Apache Thrift before 0.23.0 Description: Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. References: https://thrift.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-43870 _____________________________________________________________________ CVE-2026-43868: Apache Thrift: Rust implementation vulnerable to CVE-2020-13949 pattern Severity: important Affected versions: - Apache Thrift before 0.23.0 Description: Memory Allocation with Excessive Size Value vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. References: https://thrift.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-43868 _____________________________________________________________________ CVE-2026-43869: Apache Thrift: TSSLTransportFactory.java hostname verification Severity: important Affected versions: - Apache Thrift before 0.23.0 Description: Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. References: https://thrift.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-43869 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================