From 3f0013a38c441d48a07e9655aa99ef5f909c90e8 Mon Sep 17 00:00:00 2001
From: Albert Pastrana <albert.pastrana@intenthq.com>
Date: Mon, 3 May 2021 16:42:21 +0200
Subject: [PATCH] Fixes thrift vulnerabilities

Current version of libThrift has some vulnerabilities, updating it to 0.14.0 should fix them.
```+-----------------------------+------------------+----------+-------------------+---------------+--------------------------------------------+
|           LIBRARY           | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                   TITLE                    |
+-----------------------------+------------------+----------+-------------------+---------------+--------------------------------------------+
| org.apache.thrift:libthrift | CVE-2018-1320    | HIGH     | 0.10.0            | 0.12.0        | thrift: SASL negotiation                   |
|                             |                  |          |                   |               | isComplete validation bypass in the        |
|                             |                  |          |                   |               | org.apache.thrift.transport.TSaslTransport |
|                             |                  |          |                   |               | class -->avd.aquasec.com/nvd/cve-2018-1320 |
+                             +------------------+          +                   +---------------+--------------------------------------------+
|                             | CVE-2019-0205    |          |                   | 0.13.0        | thrift: Endless loop when                  |
|                             |                  |          |                   |               | feed with specific input data              |
|                             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-0205       |
+                             +------------------+          +                   +               +--------------------------------------------+
|                             | CVE-2019-0210    |          |                   |               | thrift: Out-of-bounds read                 |
|                             |                  |          |                   |               | related to TJSONProtocol                   |
|                             |                  |          |                   |               | or TSimpleJSONProtocol                     |
|                             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-0210       |
+                             +------------------+          +                   +---------------+--------------------------------------------+
|                             | CVE-2020-13949   |          |                   | 0.14.0        | libthrift: potential DoS when              |
|                             |                  |          |                   |               | processing untrusted payloads              |
|                             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-13949      |
+-----------------------------+------------------+----------+-------------------+---------------+--------------------------------------------+```
---
 build.sbt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.sbt b/build.sbt
index 5d081a273..9c62809d8 100644
--- a/build.sbt
+++ b/build.sbt
@@ -98,7 +98,7 @@ lazy val versions = new {
   val junit = "4.12"
   val kafka24 = "2.4.1"
   val kafka25 = "2.5.0"
-  val libThrift = "0.10.0"
+  val libThrift = "0.14.0"
   val logback = "1.2.3"
   val mockitoScala = "1.14.8"
   val mustache = "0.8.18"