Vulnerability Description
In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Hive | < 4.0.0 |
| Apache | Thrift | >= 0.9.3, <= 0.13.0 |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.2.1 |
| Oracle | Communications Cloud Native Core Policy | 1.14.0 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread.html/r01b34416677f1ba869525e1b891ac66fa6f88c024e
- https://lists.apache.org/thread.html/r02ba8db500d15a5949e9a7742815438002ba1cf1b3
- https://lists.apache.org/thread.html/r02f7771863383ae993eb83cdfb70c3cb65a355c913
- https://lists.apache.org/thread.html/r0372f0af2dad0b76fbd7a6cfdaad29d50384ad48dd
- https://lists.apache.org/thread.html/r08a7bd19470ef8950d58cc9d9e7b02bc69c43f56c6
- https://lists.apache.org/thread.html/r1084a911dff90b2733b442ee0f5929d19b168035d4
- https://lists.apache.org/thread.html/r117d5d2b08d505b69558a2a31b0a1cf8990cd03850
- https://lists.apache.org/thread.html/r12090c81b67d21a814de6cf54428934a5e5613fde2
- https://lists.apache.org/thread.html/r13f40151513ff095a44a86556c65597a7e55c00f5e
- https://lists.apache.org/thread.html/r143ca388b0c83fe659db14be76889d50b453b0ee06
- https://lists.apache.org/thread.html/r1456eab5f3768be69436d5b0a68b483eb316eb85eb
- https://lists.apache.org/thread.html/r1504886a550426d3c05772c47b1a6350c3235e51fd
- https://lists.apache.org/thread.html/r15eed5d21e16a5cce810c1e096ffcffc36cd08c2f7
- https://lists.apache.org/thread.html/r179119bbfb5610499286a84c316f6789c5afbfa534
- https://lists.apache.org/thread.html/r17cca685ad53bc8300ee7fcfe874cb784a222343f2
FAQ
What is CVE-2020-13949?
CVE-2020-13949 is a vulnerability with a CVSS score of 7.5 (HIGH). In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
How severe is CVE-2020-13949?
CVE-2020-13949 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-13949?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Hive, Apache Thrift, Oracle Communications Cloud Native Core Network Slice Selection Function, Oracle Communications Cloud Native Core Policy.