CVE-2019-11937

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-11937
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11937.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-11937
Published
2019-12-04T16:15:11.730Z
Modified
2025-11-14T09:05:42.027438Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In Mcrouter prior to v0.41.0, a large struct input provided to the Carbon protocol reader could result in stack exhaustion and denial of service.

References

Affected packages

Git / github.com/facebook/mcrouter

Affected ranges

Type
GIT
Repo
https://github.com/facebook/mcrouter
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
97e033b3bb0cb16b61bf49f0dc7f311a3e0edd1b
Fixed
9ffd13e9ab6c2c02bd1f95a7169c9a69b1b6bc54

Affected versions

Other

release-36-cve-fix

v0.*

v0.10.0
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.15.0
v0.16.0
v0.17.0
v0.18.0
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.23.0
v0.24.0
v0.25.0
v0.26.0
v0.27.0
v0.28.0
v0.29.0
v0.30.0
v0.31.0
v0.32.0
v0.33.0
v0.34.0
v0.35.0
v0.36.0
v0.37.0
v0.38.0
v0.39.0
v0.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11937.json"

vanir_signatures

[
    {
        "deprecated": false,
        "source": "https://github.com/facebook/mcrouter/commit/97e033b3bb0cb16b61bf49f0dc7f311a3e0edd1b",
        "signature_type": "Line",
        "target": {
            "file": "mcrouter/lib/carbon/CarbonProtocolReader.cpp"
        },
        "id": "CVE-2019-11937-754e2a1b",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "65161515500616568558656657028519200949",
                "211871914796959863846934910901354094903",
                "167072776203480378383959684283413084932",
                "287441299355480581747519674051041422660",
                "5928327514337020991552201001823937487",
                "194894419827936238695643242947369075622",
                "321974394087091680584651102824025550378",
                "211488159856352772860105901494483197795",
                "187480002121884995759788625953718996382",
                "200497279708899711979223314648232423331",
                "324038733964501136469472308180816719353",
                "171330923685853089644337207322548552352",
                "82713770421532349676075287601689598486",
                "3550457628982714179147233303082124235"
            ]
        }
    },
    {
        "deprecated": false,
        "source": "https://github.com/facebook/mcrouter/commit/97e033b3bb0cb16b61bf49f0dc7f311a3e0edd1b",
        "signature_type": "Function",
        "target": {
            "file": "mcrouter/lib/carbon/CarbonProtocolReader.cpp",
            "function": "CarbonProtocolReader::skip"
        },
        "id": "CVE-2019-11937-8b21346f",
        "signature_version": "v1",
        "digest": {
            "length": 967.0,
            "function_hash": "338708658738725844228037726447850122146"
        }
    },
    {
        "deprecated": false,
        "source": "https://github.com/facebook/mcrouter/commit/97e033b3bb0cb16b61bf49f0dc7f311a3e0edd1b",
        "signature_type": "Line",
        "target": {
            "file": "mcrouter/lib/carbon/CarbonProtocolReader.h"
        },
        "id": "CVE-2019-11937-fb898708",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "194489831403648663238481715541015036153",
                "299405957060261401258185212596721711662",
                "333748399651933197211965056899606848901",
                "120521487789386056350350313606559228989",
                "104720807227338357736598230379988928171"
            ]
        }
    }
]