CVE-2019-3553

Name
CVE-2019-3553
Description
C++ Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.02.03.00.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Patch https://github.com/facebook/fbthrift/commit/3f156207e8a6583d88999487e954320dc18955e6
Vendor Advisory https://www.facebook.com/security/advisories/cve-2019-3553
Patch https://github.com/facebook/fbthrift/commit/c9a903e5902834e95bbd4ab0e9fa53ba0189f351

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:facebook:thrift:*:*:*:*:*:*:*:* thrift >= None < 2020.02.03.00

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
thrift 3.15-community 0.15.0-r1 Patrick Gansterer <paroga@paroga.com> possibly vulnerable
thrift 3.16-community 0.16.0-r1 Patrick Gansterer <paroga@paroga.com> possibly vulnerable
thrift 3.17-community 0.17.0-r0 Patrick Gansterer <paroga@paroga.com> possibly vulnerable
thrift 3.18-community 0.18.1-r2 Patrick Gansterer <paroga@paroga.com> possibly vulnerable
thrift 3.19-community 0.19.0-r0 Patrick Gansterer <paroga@paroga.com> possibly vulnerable
thrift edge-community 0.20.0-r1 Patrick Gansterer <paroga@paroga.com> possibly vulnerable
thrift 3.20-community 0.20.0-r1 Patrick Gansterer <paroga@paroga.com> possibly vulnerable