CVSS: 7.8EPSS: 0%CPEs: 21EXPL: 0CVE-2022-3171 – Memory handling vulnerability in ProtocolBuffers Java core and lite
https://notcve.org/view.php?id=CVE-2022-3171
12 Oct 2022 — A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. Un problema de análisis de datos binarios en protobuf-java c... • https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 2CVE-2021-22569 – Denial of Service of protobuf-java parsing procedure
https://notcve.org/view.php?id=CVE-2021-22569
07 Jan 2022 — An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions. Un problema en protobuf-java permitía intercalar campos com.google.protobuf.UnknownFieldSet de tal manera que eran procesados fuera de orden. U... • https://github.com/Mario-Kart-Felix/A-potential-Denial-of-Service-issue-in-protobuf-java • CWE-696: Incorrect Behavior Order •