CVE-2019-11939 — Denial of service via malicious message size declaration in github.com/facebook/

Description

Thrift Servers preallocate memory for the declared size of messages before checking the actual size of the message. This allows a malicious user to send messages that declare that they are significantly larger than they actually are, allowing them to force the server to allocate significant amounts of memory. This can be used as a denial of service vector.

How to fix CVE-2019-11939

To remediate CVE-2019-11939, upgrade the affected package to a fixed version below.

—upgrade to 0.31.1-0.20200311080807-483ed864d69f or later
—upgrade to 0.31.1-0.20200311080807-483ed864d69f or later

Is CVE-2019-11939 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.31.1-0.20200311080807-483ed864d69f
from 0, < 0.31.1-0.20200311080807-483ed864d69f

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-11939
PATCHgithub.com/facebook/fbthrift
WEBgithub.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757
WEBpkg.go.dev/vuln/GO-2021-0082
WEB