CVE-2022-1941 – protobuf

Package

Manager: pip
Name: protobuf
Vulnerable Version: >=0 <3.18.3 || >=3.19.0 <3.19.5 || >=3.20.0 <3.20.2 || >=4.0.0 <4.21.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00123 pctl0.32114

Details

protobuf-cpp and protobuf-python have potential Denial of Service issue ### Summary A message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message, which could lead to a denial of service (DoS) on services using the libraries. Reporter: [ClusterFuzz](https://google.github.io/clusterfuzz/) Affected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below. ### Severity & Impact As scored by google **Medium 5.7** - [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Asscored byt NIST **High 7.5** - [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) A small (~500 KB) malicious payload can be constructed which causes the running service to allocate more than 3GB of RAM. ### Proof of Concept For reproduction details, please refer to the unit test that identifies the specific inputs that exercise this parsing weakness. ### Mitigation / Patching Please update to the latest available versions of the following packages: - protobuf-cpp (3.18.3, 3.19.5, 3.20.2, 3.21.6) - protobuf-python (3.18.3, 3.19.5, 3.20.2, 4.21.6)

Metadata

Created: 2022-09-23T20:31:15Z
Modified: 2024-07-05T21:23:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-8gq9-2x98-w8hf/GHSA-8gq9-2x98-w8hf.json
CWE IDs: ["CWE-119", "CWE-1286"]
Alternative ID: GHSA-8gq9-2x98-w8hf
Finding: F063
Auto approve: 1