Denial of Service Vulnerability in Mcrouter by Facebook
CVE-2019-11937

7.5HIGH

Key Information:

Vendor: Facebook
Status: Mcrouter
Vendor: CVE Published:; 4 December 2019

🔔 Create Facebook Vulnerability Alert

What is CVE-2019-11937?

The vulnerability allows an attacker to exploit a large struct input sent to the Carbon protocol reader in Mcrouter, resulting in stack exhaustion. This can lead to a denial of service condition, rendering the affected service unavailable. Users of Mcrouter prior to v0.41.0 are advised to upgrade to mitigate this risk.

Affected Version(s)

Mcrouter 0.41.0

Mcrouter < 0.41.0

References

https://github.com/facebook/mcrouter/releases/tag/v0.41.0...

x_refsource_MISC

https://www.facebook.com/security/advisories/cve-2019-11937

x_refsource_CONFIRM

https://github.com/facebook/mcrouter/commit/97e033b3bb0cb...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 4, 2019
Vulnerability Reserved
May 13, 2019

.