CVE-2019-0210

Name of the Vulnerable Software and Affected Versions Apache Thrift versions 0.9.3 through 0.12.0

Description The issue is related to insufficient input validation in the Apache Thrift library, which can lead to a denial of service attack. When a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol is fed with invalid input data, it may panic. This can be exploited by a remote attacker to cause a service disruption. The problem arises due to an improper bounds check, allowing maliciously crafted messages to cause panics, especially when parsing untrusted input.

Recommendations For Apache Thrift versions 0.9.3 through 0.12.0, consider disabling the use of TJSONProtocol or TSimpleJSONProtocol until a patch is available to prevent potential denial of service attacks. Restrict access to untrusted input to minimize the risk of exploitation. As a temporary workaround, avoid using these protocols for parsing untrusted data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.