CVSS: 8.7EPSS: 0%CPEs: 16EXPL: 0CVE-2024-7254 – Stack overflow in Protocol Buffers Java Lite
https://notcve.org/view.php?id=CVE-2024-7254
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. • https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-24786 – Infinite loop in JSON unmarshaling in google.golang.org/protobuf
https://notcve.org/view.php?id=CVE-2024-24786
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. La función protojson.Unmarshal puede entrar en un bucle infinito al descomponer ciertas formas de JSON no válido. Esta condición puede ocurrir al descomponer en un mensaje que contiene un valor google.protobuf.Any, o cuando la opción UnmarshalOptions.DiscardUnknown está configurada. A flaw was found in Golang's protobuf module, where the unmarshal function can enter an infinite loop when processing certain invalid inputs. • http://www.openwall.com/lists/oss-security/2024/03/08/4 https://go.dev/cl/569356 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU https://pkg.go.dev/vuln/GO-2024-2611 https://security.netapp.com/advisory/ntap-20240517-0002 https://access.redhat.com/security/cve/CVE-2024-24786 https://bugzilla.redhat.com/show_bug.cgi?id=2268046 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.5EPSS: 0%CPEs: 21EXPL: 0CVE-2022-3171 – Memory handling vulnerability in ProtocolBuffers Java core and lite
https://notcve.org/view.php?id=CVE-2022-3171
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. Un problema de análisis de datos binarios en protobuf-java core y lite versiones anteriores a 3.21.7, 3.20.3, 3.19.6 y 3.16.3, puede conllevar a un ataque de denegación de servicio. Las entradas que contienen múltiples instancias de mensajes insertados no repetidos con campos repetidos o desconocidos causan que los objetos sean convertidos de ida y vuelta entre las formas mutables e inmutables, resultando en pausas de recolección de basura potencialmente largas. • https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP https://security.gentoo.org/glsa/202301-09 https://access.redhat.com/security/cve/CVE-2022-3171 https://bugzilla.redhat.com/show_bug.cgi?id=2137645 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 1CVE-2021-22569 – Denial of Service of protobuf-java parsing procedure
https://notcve.org/view.php?id=CVE-2021-22569
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions. Un problema en protobuf-java permitía intercalar campos com.google.protobuf.UnknownFieldSet de tal manera que eran procesados fuera de orden. Una pequeña carga útil maliciosa puede ocupar el analizador durante varios minutos al crear un gran número de objetos de corta duración que causan frecuentes y repetidas pausas. • http://www.openwall.com/lists/oss-security/2022/01/12/4 http://www.openwall.com/lists/oss-security/2022/01/12/7 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330 https://cloud.google.com/support/bulletins#gcp-2022-001 https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html https://www.oracle.com/security-alerts/cpuapr2022.html https://access.redhat.com/security/cve/CVE-2021-22569 https://bugzilla.redhat.com/show_bug.cgi?id=2039903 • CWE-696: Incorrect Behavior Order •