| id: GO-2021-0082 |
| modules: |
| - module: github.com/facebook/fbthrift |
| versions: |
| - fixed: 0.31.1-0.20200311080807-483ed864d69f |
| vulnerable_at: 0.31.1-0.20200311052902-c8800899625e |
| packages: |
| - package: github.com/facebook/fbthrift/thrift/lib/go/thrift |
| summary: |- |
| Denial of service via malicious message size declaration in |
| github.com/facebook/fbthrift |
| description: |- |
| Thrift Servers preallocate memory for the declared size of messages before |
| checking the actual size of the message. This allows a malicious user to send |
| messages that declare that they are significantly larger than they actually are, |
| allowing them to force the server to allocate significant amounts of memory. |
| This can be used as a denial of service vector. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2019-11939 |
| ghsas: |
| - GHSA-w3r9-r9w7-8h48 |
| references: |
| - fix: https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757 |
| - web: https://www.facebook.com/security/advisories/cve-2019-11939 |
| review_status: REVIEWED |