CVE-2022-1941

Out of Memory issue in ProtocolBuffers for cpp and python

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Una vulnerabilidad de análisis de tipo MessageSet en ProtocolBuffers versiones anteriores a 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 y 3.21.5 para protobuf-cpp, y las versiones anteriores a la 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 y 4.21.5 para protobuf-python, entre otras, puede conllevar a fallos de memoria. Un mensaje especialmente diseñado con múltiples elementos clave-valor por crea problemas de análisis, y puede conllevar a una denegación de servicio contra los servicios que reciban entradas no saneadas. Es recomendado actualizar a versiones 3.18.3, 3.19.5, 3.20.2, 3.21.6 para protobuf-cpp y 3.18.3, 3.19.5, 3.20.2, 4.21.6 para protobuf-python. Las versiones para 3.16 y 3.17 ya no son actualizadas

*Credits: CluterFuzz - https://google.github.io/clusterfuzz/

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2022-05-30 CVE Reserved
2022-09-22 CVE Published
2024-07-06 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-1286: Improper Validation of Syntactic Correctness of Input

CAPEC

References (7)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2022/09/27/1	Mailing List
https://cloud.google.com/support/bulletins#GCP-2022-019	Third Party Advisory
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html	Mailing List
https://security.netapp.com/advisory/ntap-20240705-0001

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Google Search vendor "Google"		Protobuf-cpp Search vendor "Google" for product "Protobuf-cpp"				< 3.18.3 Search vendor "Google" for product "Protobuf-cpp" and version " < 3.18.3"		-		Affected
Google Search vendor "Google"		Protobuf-cpp Search vendor "Google" for product "Protobuf-cpp"				>= 3.19.0 < 3.19.5 Search vendor "Google" for product "Protobuf-cpp" and version " >= 3.19.0 < 3.19.5"		-		Affected
Google Search vendor "Google"		Protobuf-cpp Search vendor "Google" for product "Protobuf-cpp"				>= 3.20.0 < 3.20.2 Search vendor "Google" for product "Protobuf-cpp" and version " >= 3.20.0 < 3.20.2"		-		Affected
Google Search vendor "Google"		Protobuf-cpp Search vendor "Google" for product "Protobuf-cpp"				>= 3.21.0 < 3.21.6 Search vendor "Google" for product "Protobuf-cpp" and version " >= 3.21.0 < 3.21.6"		-		Affected
Google Search vendor "Google"		Protobuf-python Search vendor "Google" for product "Protobuf-python"				< 3.18.3 Search vendor "Google" for product "Protobuf-python" and version " < 3.18.3"		-		Affected
Google Search vendor "Google"		Protobuf-python Search vendor "Google" for product "Protobuf-python"				>= 3.19.0 < 3.19.5 Search vendor "Google" for product "Protobuf-python" and version " >= 3.19.0 < 3.19.5"		-		Affected
Google Search vendor "Google"		Protobuf-python Search vendor "Google" for product "Protobuf-python"				>= 3.20.0 < 3.20.2 Search vendor "Google" for product "Protobuf-python" and version " >= 3.20.0 < 3.20.2"		-		Affected
Google Search vendor "Google"		Protobuf-python Search vendor "Google" for product "Protobuf-python"				>= 4.0.0 < 4.21.6 Search vendor "Google" for product "Protobuf-python" and version " >= 4.0.0 < 4.21.6"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected