CVE-2022-3171 – com.google.protobuf:protobuf-java

Package

Manager: maven
Name: com.google.protobuf:protobuf-java
Vulnerable Version: >=3.21.0-rc-1 <3.21.7 || >=3.20.0-rc-1 <3.20.3 || >=3.17.0-rc-1 <3.19.6 || >=0 <3.16.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00071 pctl0.22384

Details

protobuf-java has a potential Denial of Service issue ## Summary A potential Denial of Service issue in `protobuf-java` core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated [embedded messages](http://developers.google.com/protocol-buffers/docs/encoding#embedded) with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. Reporter: [OSS Fuzz](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771) Affected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime. ## Severity [CVE-2022-3171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3171) Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication) ## Remediation and Mitigation Please update to the latest available versions of the following packages: protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3) google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)

Metadata

Created: 2022-10-04T22:17:15Z
Modified: 2022-10-04T22:17:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-h4h5-3hr4-j3g2
Finding: F184
Auto approve: 1