CVE-2022-3171

EPSS 0.08%
Veröffentlicht 12.10.2022 23:15:09
Zuletzt bearbeitet 21.11.2024 07:18:58
Quelle cve-coordination@google.com
Teams Watchlist Login
Unerledigt Login

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Google ≫ Google-protobuf SwPlatformruby Version < 3.16.3

Google ≫ Google-protobuf SwPlatformruby Version >= 3.17.0 < 3.19.6

Google ≫ Google-protobuf SwPlatformruby Version >= 3.20.0 < 3.20.3

Google ≫ Google-protobuf SwPlatformruby Version >= 3.21.0 < 3.21.7

Google ≫ Protobuf-java Version < 3.16.3

Google ≫ Protobuf-java Version >= 3.17.0 < 3.19.6

Google ≫ Protobuf-java Version >= 3.20.0 < 3.20.3

Google ≫ Protobuf-java Version >= 3.21.0 < 3.21.7

Google ≫ Protobuf-javalite Version < 3.16.3

Google ≫ Protobuf-javalite Version >= 3.17.0 < 3.19.6

Google ≫ Protobuf-javalite Version >= 3.20.0 < 3.20.3

Google ≫ Protobuf-javalite Version >= 3.21.0 < 3.21.7

Google ≫ Protobuf-kotlin Version < 3.16.3

Google ≫ Protobuf-kotlin Version >= 3.17.0 < 3.19.6

Google ≫ Protobuf-kotlin Version >= 3.20.0 < 3.20.3

Google ≫ Protobuf-kotlin Version >= 3.21.0 < 3.21.7

Google ≫ Protobuf-kotlin-lite Version < 3.16.3

Google ≫ Protobuf-kotlin-lite Version >= 3.17.0 < 3.19.6

Google ≫ Protobuf-kotlin-lite Version >= 3.20.0 < 3.20.3

Google ≫ Protobuf-kotlin-lite Version >= 3.21.0 < 3.21.7

Fedoraproject ≫ Fedora Version37

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.241

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cve-coordination@google.com	4.3	2.8	1.4	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/

https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2

Third Party Advisory

https://security.gentoo.org/glsa/202301-09

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-3171

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-3171

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-3171

EUVD