Hi Would you be able to tell me JIRA ticket or github's PR# which addressed this CVE? I couldn't find them...
Best regards, Yuta Kawadai On 2021/02/11 22:43:29, "Jens Geyer" <je...@apache.org> wrote: > CVE-2020-13949: potential DoS when processing untrusted Thrift payloads > > Severity: Important > > Vendor: > The Apache Software Foundation > > Versions Affected: > Apache Thrift up to and including 0.13.0 > > Description: > Applications using Thrift would not error upon receiving messages declaring > containers of sizes larger than the payload. As a result, malicious RPC > clients could send short messages which would result in a large memory > allocation, potentially leading to denial of service. > > Mitigation: > Upgrade to version 0.14.0 > > Credit: > This issue was reported by Hasnain Lakhani of Facebook. > > On behalf of the Apache Thrift PMC, > Jens Geyer