CVE-2020-13949: potential DoS when processing untrusted Thrift payloads
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Thrift up to and including 0.13.0
Description:
Applications using Thrift would not error upon receiving messages declaring containers of sizes larger than the
payload. As a result, malicious RPC clients could send short messages which would result in a large memory allocation,
potentially leading to denial of service.
Mitigation:
Upgrade to version 0.14.0
Credit:
This issue was reported by Hasnain Lakhani of Facebook.
On behalf of the Apache Thrift PMC,
Jens Geyer