Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.03.04.00.
CVE-2019-3564 - High Severity Vulnerability
github.com/lightstep/lightstep-tracer-go/thrift_0_9_2/lib/go/thrift-v0.15.2
The LightStep distributed tracing library for Go
Dependency Hierarchy: - github.com/lightstep/lightstep-tracer-go-v0.15.2 (Root Library) - github.com/lightstep/lightstep-tracer-go/lightstep_thrift-v0.15.2 - :x: **github.com/lightstep/lightstep-tracer-go/thrift_0_9_2/lib/go/thrift-v0.15.2** (Vulnerable Library)
Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.03.04.00.
Publish Date: 2019-05-06
URL: CVE-2019-3564
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3564
Release Date: 2019-05-06
Fix Resolution: v2019.03.04.00