Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13M3I5LXI5dzctOGg0OM4AAj8K
Golang Facebook Thrift servers vulnerable to denial of service
Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.03.16.00.
Specific Go Packages Affected
github.com/facebook/fbthrift/thrift/lib/go/thrift
Permalink: https://github.com/advisories/GHSA-w3r9-r9w7-8h48JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13M3I5LXI5dzctOGg0OM4AAj8K
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-w3r9-r9w7-8h48, CVE-2019-11939
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-11939
- https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757
- https://www.facebook.com/security/advisories/cve-2019-11939
- https://pkg.go.dev/vuln/GO-2021-0082
- https://github.com/advisories/GHSA-w3r9-r9w7-8h48
Blast Radius: 11.0
Affected Packages
go:github.com/facebook/fbthrift
Dependent packages: 53Dependent repositories: 29
Downloads:
Affected Version Ranges: < 0.31.1-0.20200311080807-483ed864d69f
Fixed in: 0.31.1-0.20200311080807-483ed864d69f
All affected versions: 0.20.0, 0.24.0, 0.25.0, 0.26.0, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.31.0
All unaffected versions: