Vulnerability Report: GO-2021-0082
- CVE-2019-11939, GHSA-w3r9-r9w7-8h48
- Affects: github.com/facebook/fbthrift
- Published: Apr 14, 2021
- Modified: May 20, 2024
Thrift Servers preallocate memory for the declared size of messages before checking the actual size of the message. This allows a malicious user to send messages that declare that they are significantly larger than they actually are, allowing them to force the server to allocate significant amounts of memory. This can be used as a denial of service vector.
Affected Packages
-
PathGo VersionsSymbols
-
before v0.31.1-0.20200311080807-483ed864d69fall symbols
Aliases
References
- https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757
- https://www.facebook.com/security/advisories/cve-2019-11939
- https://vuln.go.dev/ID/GO-2021-0082.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.