CVE-2022-3171

EPSS 0.08%
Published 12.10.2022 23:15:09
Last modified 21.11.2024 07:18:58
Source cve-coordination@google.com
Teams watchlist Login
Open Login

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Google ≫ Google-protobuf SwPlatformruby Version < 3.16.3

Google ≫ Google-protobuf SwPlatformruby Version >= 3.17.0 < 3.19.6

Google ≫ Google-protobuf SwPlatformruby Version >= 3.20.0 < 3.20.3

Google ≫ Google-protobuf SwPlatformruby Version >= 3.21.0 < 3.21.7

Google ≫ Protobuf-java Version < 3.16.3

Google ≫ Protobuf-java Version >= 3.17.0 < 3.19.6

Google ≫ Protobuf-java Version >= 3.20.0 < 3.20.3

Google ≫ Protobuf-java Version >= 3.21.0 < 3.21.7

Google ≫ Protobuf-javalite Version < 3.16.3

Google ≫ Protobuf-javalite Version >= 3.17.0 < 3.19.6

Google ≫ Protobuf-javalite Version >= 3.20.0 < 3.20.3

Google ≫ Protobuf-javalite Version >= 3.21.0 < 3.21.7

Google ≫ Protobuf-kotlin Version < 3.16.3

Google ≫ Protobuf-kotlin Version >= 3.17.0 < 3.19.6

Google ≫ Protobuf-kotlin Version >= 3.20.0 < 3.20.3

Google ≫ Protobuf-kotlin Version >= 3.21.0 < 3.21.7

Google ≫ Protobuf-kotlin-lite Version < 3.16.3

Google ≫ Protobuf-kotlin-lite Version >= 3.17.0 < 3.19.6

Google ≫ Protobuf-kotlin-lite Version >= 3.20.0 < 3.20.3

Google ≫ Protobuf-kotlin-lite Version >= 3.21.0 < 3.21.7

Fedoraproject ≫ Fedora Version37

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.08%	0.241

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cve-coordination@google.com	4.3	2.8	1.4	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/

https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2

Third Party Advisory

https://security.gentoo.org/glsa/202301-09

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-3171

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-3171

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-3171

EUVD