LAYER: meta
PACKAGE NAME: orc
PACKAGE VERSION: 0.4.39
CVE: CVE-2018-8015
CVE STATUS: Patched
CVE SUMMARY: In Apache ORC 1.0.0 to 1.4.3 a malformed ORC file can trigger an endlessly recursive function call in the C++ or Java parser. The impact of this bug is most likely denial-of-service against software that uses the ORC file parser. With the C++ parser, the stack overflow might possibly corrupt the stack.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8015

LAYER: meta
PACKAGE NAME: orc
PACKAGE VERSION: 0.4.39
CVE: CVE-2024-40897
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer's build environment. This may lead to compromise of developer machines or CI build environments.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.7
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40897