CVE-2019-11938

Name
CVE-2019-11938
Description
Java Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.12.09.00.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Patch https://github.com/facebook/fbthrift/commit/08c2d412adb214c40bb03be7587057b25d053030
Patch https://github.com/facebook/fbthrift/commit/71c97ffdcb61cccf1f8267774e873e21ebd3ebd3
Vendor Advisory https://www.facebook.com/security/advisories/cve-2019-11938

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:facebook:thrift:*:*:*:*:*:*:*:* thrift >= None < 2019.12.09.00

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
thrift 3.15-community 0.15.0-r1 Patrick Gansterer <paroga@paroga.com> possibly vulnerable
thrift 3.16-community 0.16.0-r1 Patrick Gansterer <paroga@paroga.com> possibly vulnerable
thrift 3.17-community 0.17.0-r0 Patrick Gansterer <paroga@paroga.com> possibly vulnerable
thrift 3.18-community 0.18.1-r2 Patrick Gansterer <paroga@paroga.com> possibly vulnerable
thrift 3.19-community 0.19.0-r0 Patrick Gansterer <paroga@paroga.com> possibly vulnerable
thrift edge-community 0.20.0-r1 Patrick Gansterer <paroga@paroga.com> possibly vulnerable
thrift 3.20-community 0.20.0-r1 Patrick Gansterer <paroga@paroga.com> possibly vulnerable