CVE-2020-13949: potential DoS when processing untrusted Thrift payloads Severity: Important
Vendor: The Apache Software Foundation Versions Affected: Apache Thrift up to and including 0.13.0 Description: Applications using Thrift would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. Mitigation: Upgrade to version 0.14.0 Credit: This issue was reported by Hasnain Lakhani of Facebook. On behalf of the Apache Thrift PMC, Jens Geyer
