Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.03.16.00.
CVE-2019-11939 - High Severity Vulnerability
github.com/lightstep/lightstep-tracer-go/thrift_0_9_2/lib/go/thrift-v0.15.2
The LightStep distributed tracing library for Go
Dependency Hierarchy: - github.com/lightstep/lightstep-tracer-go-v0.15.2 (Root Library) - github.com/lightstep/lightstep-tracer-go/lightstep_thrift-v0.15.2 - :x: **github.com/lightstep/lightstep-tracer-go/thrift_0_9_2/lib/go/thrift-v0.15.2** (Vulnerable Library)
Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.03.16.00.
Publish Date: 2020-03-18
URL: CVE-2019-11939
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11939
Release Date: 2020-03-18
Fix Resolution: v2020.03.16.00