CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-24786 – Infinite loop in JSON unmarshaling in google.golang.org/protobuf
https://notcve.org/view.php?id=CVE-2024-24786
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. La función protojson.Unmarshal puede entrar en un bucle infinito al descomponer ciertas formas de JSON no válido. Esta condición puede ocurrir al descomponer en un mensaje que contiene un valor google.protobuf.Any, o cuando la opción UnmarshalOptions.DiscardUnknown está configurada. A flaw was found in Golang's protobuf module, where the unmarshal function can enter an infinite loop when processing certain invalid inputs. • http://www.openwall.com/lists/oss-security/2024/03/08/4 https://go.dev/cl/569356 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU https://pkg.go.dev/vuln/GO-2024-2611 https://security.netapp.com/advisory/ntap-20240517-0002 https://access.redhat.com/security/cve/CVE-2024-24786 https://bugzilla.redhat.com/show_bug.cgi?id=2268046 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24535 – Panic when parsing invalid messages in google.golang.org/protobuf
https://notcve.org/view.php?id=CVE-2023-24535
Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic. • https://github.com/golang/protobuf/issues/1530 https://go.dev/cl/475995 https://pkg.go.dev/vuln/GO-2023-1631 • CWE-125: Out-of-bounds Read •
CVSS: 6.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-48468 – protobuf-c: unsigned integer overflow in parse_required_member
https://notcve.org/view.php?id=CVE-2022-48468
protobuf-c before 1.4.1 has an unsigned integer overflow in parse_required_member. A vulnerability was found in protobuf-c. This security flaw leads to an unsigned integer overflow in parse_required_member. • https://github.com/protobuf-c/protobuf-c/commit/ec3d900001a13ccdaa8aef996b34c61159c76217 https://github.com/protobuf-c/protobuf-c/issues/499 https://github.com/protobuf-c/protobuf-c/pull/513 https://github.com/protobuf-c/protobuf-c/releases/tag/v1.4.1 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EI4JZSHJXW7WOOTAQSV5SUCC5GE2GC2B https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UGLZZYPOLI733DPETL444E3GY5KSS6LG https://lists.fedorapro • CWE-190: Integer Overflow or Wraparound •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 2CVE-2022-33070
https://notcve.org/view.php?id=CVE-2022-33070
Protobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift via the function parse_tag_and_wiretype in protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors. Se ha detectado que Protobuf-c versión v1.4.0, contiene un desplazamiento aritmético no válido por medio de la función parse_tag_and_wiretype en el archivo protobuf-c/protobuf-c.c. Esta vulnerabilidad permite a atacantes causar una Denegación de Servicio (DoS) por medio de vectores no especificados • https://github.com/protobuf-c/protobuf-c/issues/506 https://github.com/protobuf-c/protobuf-c/pull/508 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFN2GHUEGTSHRD7J5PKQ5DRSJSEQ2IKN •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2019-15544
https://notcve.org/view.php?id=CVE-2019-15544
An issue was discovered in the protobuf crate before 2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve calls. Se descubrió un problema en el paquete protobuf antes de 2.6.0 para Rust. Los atacantes pueden agotar toda la memoria a través de llamadas Vec :: reserve. • https://lists.apache.org/thread.html/r00097d0b5b6164ea428554007121d5dc1f88ba2af7b9e977a10572cd%40%3Cdev.hbase.apache.org%3E https://lists.apache.org/thread.html/r4ef574a5621b0e670a3ce641e9922543e34f22bf4c9ee9584aa67fcf%40%3Cissues.hbase.apache.org%3E https://lists.apache.org/thread.html/r7fed8dd9bee494094e7011cf3c2ab75bd8754ea314c6734688c42932%40%3Ccommon-issues.hadoop.apache.org%3E https://lists.apache.org/thread.html/rd64381fb8f92d640c1975dc50dcdf1b8512e02a2a7b20292d3565cae%40%3Cissues.hbase.apache.org%3E https://rustsec.org/advisories/RUSTSEC-2019-0003.html • CWE-770: Allocation of Resources Without Limits or Throttling •