CVSS: 8.7EPSS: 0%CPEs: 16EXPL: 0CVE-2024-7254 – Stack overflow in Protocol Buffers Java Lite
https://notcve.org/view.php?id=CVE-2024-7254
19 Sep 2024 — Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. A flaw was found in Protocol Buffers (protobuf). This issue can allows an attacker to cause a StackOverflow via parsing unt... • https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-24786 – Infinite loop in JSON unmarshaling in google.golang.org/protobuf
https://notcve.org/view.php?id=CVE-2024-24786
05 Mar 2024 — The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. La función protojson.Unmarshal puede entrar en un bucle infinito al descomponer ciertas formas de JSON no válido. Esta condición puede ocurrir al descomponer en un mensaje que contiene un valor google.protobuf.Any, o cuando la opción Unmarsha... • http://www.openwall.com/lists/oss-security/2024/03/08/4 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-3510 – Parsing issue in protobuf message-type extension
https://notcve.org/view.php?id=CVE-2022-3510
11 Nov 2022 — A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. Un problema de aná... • https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48 • CWE-400: Uncontrolled Resource Consumption CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-3509 – Parsing issue in protobuf textformat
https://notcve.org/view.php?id=CVE-2022-3509
01 Nov 2022 — A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. Un problema de análisis similar... • https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9 • CWE-400: Uncontrolled Resource Consumption CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes •
CVSS: 7.8EPSS: 0%CPEs: 21EXPL: 0CVE-2022-3171 – Memory handling vulnerability in ProtocolBuffers Java core and lite
https://notcve.org/view.php?id=CVE-2022-3171
12 Oct 2022 — A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. Un problema de análisis de datos binarios en protobuf-java c... • https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 11EXPL: 0CVE-2022-1941 – Out of Memory issue in ProtocolBuffers for cpp and python
https://notcve.org/view.php?id=CVE-2022-1941
22 Sep 2022 — A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to ve... • http://www.openwall.com/lists/oss-security/2022/09/27/1 • CWE-400: Uncontrolled Resource Consumption CWE-1286: Improper Validation of Syntactic Correctness of Input •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 0CVE-2021-22570 – Nullptr Dereference in Protobuf
https://notcve.org/view.php?id=CVE-2021-22570
26 Jan 2022 — Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. Una desreferencia de puntero Null cuando un char nulo está presente en un símbolo proto. • https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0 • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 2CVE-2021-22569 – Denial of Service of protobuf-java parsing procedure
https://notcve.org/view.php?id=CVE-2021-22569
07 Jan 2022 — An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions. Un problema en protobuf-java permitía intercalar campos com.google.protobuf.UnknownFieldSet de tal manera que eran procesados fuera de orden. U... • https://github.com/Mario-Kart-Felix/A-potential-Denial-of-Service-issue-in-protobuf-java • CWE-696: Incorrect Behavior Order •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5237 – Ubuntu Security Notice USN-5769-1
https://notcve.org/view.php?id=CVE-2015-5237
25 Sep 2017 — protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. protobuf permite que los usuarios autenticados remotos provoquen un desbordamiento de búfer basado en memoria dinámica (heap). It was discovered that protobuf did not properly manage memory when serializing large messages. An attacker could possibly use this issue to cause applications using protobuf to crash, resulting in a denial of service, or possibly execute arbitrary code. It was discovered that protobuf did not prop... • http://www.openwall.com/lists/oss-security/2015/08/27/2 • CWE-787: Out-of-bounds Write •