{"id":"GHSA-cjw4-2w9r-r8mv","summary":"Missing Initialization of Resource in Apache Arrow","details":"While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory could potentially be shared if are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.","aliases":["CVE-2019-12410","PYSEC-2019-196"],"modified":"2024-10-21T20:26:49.848433Z","published":"2022-05-24T17:00:40Z","database_specific":{"severity":"HIGH","github_reviewed":true,"cwe_ids":["CWE-909"],"nvd_published_at":"2019-11-08T19:15:00Z","github_reviewed_at":"2022-06-28T14:36:30Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12410"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-cjw4-2w9r-r8mv"},{"type":"PACKAGE","url":"https://github.com/apache/arrow"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyarrow/PYSEC-2019-196.yaml"},{"type":"WEB","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/red-arrow/CVE-2019-12410.yml"},{"type":"WEB","url":"https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2019/11/08/1"}],"affected":[{"package":{"name":"pyarrow","ecosystem":"PyPI","purl":"pkg:pypi/pyarrow"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.12.0"},{"fixed":"0.15.1"}]}],"versions":["0.12.0","0.12.1","0.13.0","0.14.0","0.14.1","0.15.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cjw4-2w9r-r8mv/GHSA-cjw4-2w9r-r8mv.json"}},{"package":{"name":"red-arrow","ecosystem":"RubyGems","purl":"pkg:gem/red-arrow"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.12.0"},{"fixed":"0.15.1"}]}],"versions":["0.12.0","0.13.0","0.14.0","0.14.1","0.15.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cjw4-2w9r-r8mv/GHSA-cjw4-2w9r-r8mv.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}