blob: c61a621ed6da7a0f5b98b5ec6564f9558d953ed5 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2021-0082",
"modified": "0001-01-01T00:00:00Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2019-11939",
"GHSA-w3r9-r9w7-8h48"
],
"summary": "Denial of service via malicious message size declaration in github.com/facebook/fbthrift",
"details": "Thrift Servers preallocate memory for the declared size of messages before checking the actual size of the message. This allows a malicious user to send messages that declare that they are significantly larger than they actually are, allowing them to force the server to allocate significant amounts of memory. This can be used as a denial of service vector.",
"affected": [
{
"package": {
"name": "github.com/facebook/fbthrift",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.31.1-0.20200311080807-483ed864d69f"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/facebook/fbthrift/thrift/lib/go/thrift"
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757"
},
{
"type": "WEB",
"url": "https://www.facebook.com/security/advisories/cve-2019-11939"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0082",
"review_status": "REVIEWED"
}
}