CVE-2019-11939 – github.com/facebook/fbthrift

Package

Manager: go
Name: github.com/facebook/fbthrift
Vulnerable Version: >=0 <0.31.1-0.20200311080807-483ed864d69f

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

EPSS: 0.00615 pctl0.68955

Details

Golang Facebook Thrift servers vulnerable to denial of service Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.03.16.00. ### Specific Go Packages Affected github.com/facebook/fbthrift/thrift/lib/go/thrift

Metadata

Created: 2022-05-24T17:11:45Z
Modified: 2023-09-29T17:09:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w3r9-r9w7-8h48/GHSA-w3r9-r9w7-8h48.json
CWE IDs: ["CWE-770"]
Alternative ID: GHSA-w3r9-r9w7-8h48
Finding: F067
Auto approve: 1