PT-2019-16613 · Facebook · Facebook Thrift

Published

2019-05-06

Updated

2022-02-15

CVE-2019-3564

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Facebook Thrift versions prior to v2019.03.04.00

Description The issue allows malicious clients to send short messages with unknown fields that can take a long time for the server to parse, potentially leading to denial of service. This is because the server does not error upon receiving messages with containers of fields of unknown type and instead attempts to parse them, which can consume significant resources.

Recommendations For Facebook Thrift versions prior to v2019.03.04.00, update to version v2019.03.04.00 or later to resolve the issue. As a temporary workaround, consider restricting access to the server to trusted users only to minimize the risk of exploitation.

Fix

RCE

Improper Handling of Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-834CWE-20CWE-755

Related Identifiers

CVE-2019-3564

GHSA-X4RG-4545-4W7W

GO-2021-0088

Affected Products

Facebook Thrift

PT-2019-16613 · Facebook · Facebook Thrift

CVE-2019-3564

Weakness Enumeration

Related Identifiers

Affected Products

References · 14