Vulnerability Report: GO-2021-0082

CVE-2019-11939, GHSA-w3r9-r9w7-8h48
Affects: github.com/facebook/fbthrift
Published: Apr 14, 2021
Modified: Dec 14, 2023

Thrift Servers preallocate memory for the declared size of messages before checking the actual size of the message. This allows a malicious user to send messages that declare that they are significantly larger than they actually are, allowing them to force the server to allocate significant amounts of memory. This can be used as a denial of service vector.

Affected Packages

Path

Versions

Symbols
github.com/facebook/fbthrift/thrift/lib/go/thrift

before v0.31.1-0.20200311080807-483ed864d69f

all symbols

Aliases

CVE-2019-11939
GHSA-w3r9-r9w7-8h48

References

https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757
https://www.facebook.com/security/advisories/cve-2019-11939
https://vuln.go.dev/ID/GO-2021-0082.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL