oss-sec mailing list archives
CVE-2020-13949: Apache Thrift: potential DoS when processing untrusted payloads
From: "Jens Geyer" <jensg () apache org>
Date: Thu, 11 Feb 2021 23:43:29 +0100
CVE-2020-13949: potential DoS when processing untrusted Thrift payloads Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Thrift up to and including 0.13.0 Description: Applications using Thrift would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. Mitigation: Upgrade to version 0.14.0 Credit: This issue was reported by Hasnain Lakhani of Facebook. On behalf of the Apache Thrift PMC, Jens Geyer
Current thread:
- CVE-2020-13949: Apache Thrift: potential DoS when processing untrusted payloads Jens Geyer (Feb 11)