Hi

Would you be able to tell me JIRA ticket or github's PR# which addressed this 
CVE?
I couldn't find them...

Best regards,
Yuta Kawadai

On 2021/02/11 22:43:29, "Jens Geyer" <je...@apache.org> wrote: 
> CVE-2020-13949: potential DoS when processing untrusted Thrift payloads
> 
> Severity: Important
> 
> Vendor:
> The Apache Software Foundation
> 
> Versions Affected:
> Apache Thrift up to and including 0.13.0
> 
> Description:
> Applications using Thrift would not error upon receiving messages declaring 
> containers of sizes larger than the payload. As a result, malicious RPC 
> clients could send short messages which would result in a large memory 
> allocation, potentially leading to denial of service.
> 
> Mitigation:
> Upgrade to version 0.14.0
> 
> Credit:
> This issue was reported by Hasnain Lakhani of Facebook.
> 
> On behalf of the Apache Thrift PMC,
> Jens Geyer

Reply via email to