CVSS: 8.7EPSS: 0%CPEs: 16EXPL: 0CVE-2024-7254 – Stack overflow in Protocol Buffers Java Lite
https://notcve.org/view.php?id=CVE-2024-7254
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. • https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-24786 – Infinite loop in JSON unmarshaling in google.golang.org/protobuf
https://notcve.org/view.php?id=CVE-2024-24786
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. La función protojson.Unmarshal puede entrar en un bucle infinito al descomponer ciertas formas de JSON no válido. Esta condición puede ocurrir al descomponer en un mensaje que contiene un valor google.protobuf.Any, o cuando la opción UnmarshalOptions.DiscardUnknown está configurada. A flaw was found in Golang's protobuf module, where the unmarshal function can enter an infinite loop when processing certain invalid inputs. • http://www.openwall.com/lists/oss-security/2024/03/08/4 https://go.dev/cl/569356 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU https://pkg.go.dev/vuln/GO-2024-2611 https://security.netapp.com/advisory/ntap-20240517-0002 https://access.redhat.com/security/cve/CVE-2024-24786 https://bugzilla.redhat.com/show_bug.cgi?id=2268046 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-3510 – Parsing issue in protobuf message-type extension
https://notcve.org/view.php?id=CVE-2022-3510
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. Un problema de análisis similar a CVE-2022-3171, pero con extensiones de tipo de mensaje en las versiones protobuf-java core y lite anteriores a 3.21.7, 3.20.3, 3.19.6 y 3.16.3 puede provocar un ataque de Denegación de Servicio (DoS). . Las entradas que contienen múltiples instancias de mensajes incrustados no repetidos con campos repetidos o desconocidos hacen que los objetos se conviertan de un lado a otro entre formas mutables e inmutables, lo que resulta en pausas de recolección de basura potencialmente largas. • https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48 https://access.redhat.com/security/cve/CVE-2022-3510 https://bugzilla.redhat.com/show_bug.cgi?id=2184176 • CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-3509 – Parsing issue in protobuf textformat
https://notcve.org/view.php?id=CVE-2022-3509
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. Un problema de análisis similar a CVE-2022-3171, pero con formato de texto en las versiones core y lite de protobuf-java anteriores a 3.21.7, 3.20.3, 3.19.6 y 3.16.3 puede provocar un ataque de Denegación de Servicio (DoS). Las entradas que contienen múltiples instancias de mensajes incrustados no repetidos con campos repetidos o desconocidos hacen que los objetos se conviertan de un lado a otro entre formas mutables e inmutables, lo que resulta en pausas de recolección de basura potencialmente largas. • https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9 https://access.redhat.com/security/cve/CVE-2022-3509 https://bugzilla.redhat.com/show_bug.cgi?id=2184161 • CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes •
CVSS: 7.5EPSS: 0%CPEs: 21EXPL: 0CVE-2022-3171 – Memory handling vulnerability in ProtocolBuffers Java core and lite
https://notcve.org/view.php?id=CVE-2022-3171
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. Un problema de análisis de datos binarios en protobuf-java core y lite versiones anteriores a 3.21.7, 3.20.3, 3.19.6 y 3.16.3, puede conllevar a un ataque de denegación de servicio. Las entradas que contienen múltiples instancias de mensajes insertados no repetidos con campos repetidos o desconocidos causan que los objetos sean convertidos de ida y vuelta entre las formas mutables e inmutables, resultando en pausas de recolección de basura potencialmente largas. • https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP https://security.gentoo.org/glsa/202301-09 https://access.redhat.com/security/cve/CVE-2022-3171 https://bugzilla.redhat.com/show_bug.cgi?id=2137645 • CWE-20: Improper Input Validation •