Miggo Logo

CVE-2019-11939: Golang Facebook Thrift servers vulnerable to denial of service

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.68924%
Published
5/24/2022
Updated
9/29/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/facebook/fbthriftgo< 0.31.1-0.20200311080807-483ed864d69f0.31.1-0.20200311080807-483ed864d69f

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from container size handling in protocol deserialization. The patch adds critical validation() checks in these functions comparing declared container sizes (map/list/set) with p.trans.RemainingBytes(). The affected functions are clearly identified in the commit diff as the locations where unsafe pre-allocation occurred without payload size validation(). The CWE-770 context confirms this is a resource allocation without limits issue. Test cases added in *_test.go files specifically target these functions' vulnerable behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ol*n* *****ook T*ri*t s*rv*rs woul* not *rror upon r***ivin* m*ss***s ***l*rin* *ont*in*rs o* siz*s l*r**r t**n t** p*ylo**. *s * r*sult, m*li*ious *li*nts *oul* s*n* s*ort m*ss***s w*i** woul* r*sult in * l*r** m*mory *llo**tion, pot*nti*lly l***in

Reasoning

T** vuln*r**ility st*ms *rom *ont*in*r siz* **n*lin* in proto*ol **s*ri*liz*tion. T** p*t** ***s *riti**l `v*li**tion()` ****ks in t**s* *un*tions *omp*rin* ***l*r** *ont*in*r siz*s (m*p/list/s*t) wit* `p.tr*ns.R*m*inin**yt*s()`. T** *****t** *un*tio