blob: b0cc54f37d0e184f14a982d4a28ad5f140f40a07 [file] [log] [blame]
id: GO-2021-0088
modules:
- module: github.com/facebook/fbthrift
versions:
- fixed: 0.31.1-0.20190225164308-c461c1bd1a3e
vulnerable_at: 0.31.1-0.20190225124004-41af43a0444b
packages:
- package: github.com/facebook/fbthrift/thrift/lib/go/thrift
symbols:
- Skip
derived_symbols:
- BinaryProtocol.Skip
- CompactProtocol.Skip
- HeaderProtocol.Skip
- JSONProtocol.Skip
- Process
- ProcessContext
- SimpleJSONProtocol.Skip
- SimpleServer.AcceptLoop
- SimpleServer.AcceptLoopContext
- SimpleServer.Serve
- SimpleServer.ServeContext
- SkipDefaultDepth
- applicationException.Read
summary: Denial of service via ignored unknown fields in github.com/facebook/fbthrift
description: |-
Skip ignores unknown fields, rather than failing. A malicious user can craft
small messages with unknown fields which can take significant resources to
parse. If a server accepts messages from an untrusted user, it may be used as a
denial of service vector.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2019-3564
ghsas:
- GHSA-x4rg-4545-4w7w
references:
- fix: https://github.com/facebook/fbthrift/commit/c461c1bd1a3e130b181aa9c854da3030cd4b5156
- web: https://www.facebook.com/security/advisories/cve-2019-3564