Vulnerability

CVE-2020-13949

 Report advisory or correction

CVSS Score 7.5 high

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400

References

https://issues.apache.org/jira/browse/THRIFT-5237
https://lists.apache.org/thread.html/r43dc2b2e928e9d845b07ac075634cb759d91bb852421dc282f87a74a%40%3Cdev.thrift.apache.org%3E
https://bugzilla.redhat.com/show_bug.cgi?id=1928172
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13949

[CVE-2020-13949] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Description

In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

See org.apache.thrift/libthrift package information