CVE-2021-22569 – com.google.protobuf:protobuf-java

Package

Manager: maven
Name: com.google.protobuf:protobuf-java
Vulnerable Version: >=0 <3.16.1 || >=3.18.0 <3.18.2 || >=3.19.0 <3.19.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00353 pctl0.5695

Details

A potential Denial of Service issue in protobuf-java ## Summary A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data. Reporter: [OSS-Fuzz](https://github.com/google/oss-fuzz) Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected. ## Severity [CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569) **High** - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses. ## Proof of Concept For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness. ## Remediation and Mitigation Please update to the latest available versions of the following packages: - protobuf-java (3.16.1, 3.18.2, 3.19.2) - protobuf-kotlin (3.18.2, 3.19.2) - google-protobuf [JRuby gem only] (3.19.2)

Metadata

Created: 2022-01-07T22:31:44Z
Modified: 2023-01-24T15:45:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json
CWE IDs: ["CWE-696"]
Alternative ID: GHSA-wrvw-hg22-4m67
Finding: F014
Auto approve: 1