CVE-2022-3171
Memory handling vulnerability in ProtocolBuffers Java core and lite
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Un problema de análisis de datos binarios en protobuf-java core y lite versiones anteriores a 3.21.7, 3.20.3, 3.19.6 y 3.16.3, puede conllevar a un ataque de denegación de servicio. Las entradas que contienen múltiples instancias de mensajes insertados no repetidos con campos repetidos o desconocidos causan que los objetos sean convertidos de ida y vuelta entre las formas mutables e inmutables, resultando en pausas de recolección de basura potencialmente largas. Es recomendado actualizar a versiones mencionadas anteriormente
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-09-09 CVE Reserved
- 2022-10-12 CVE Published
- 2024-06-02 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Google Search vendor "Google" | Google-protobuf Search vendor "Google" for product "Google-protobuf" | < 3.16.3 Search vendor "Google" for product "Google-protobuf" and version " < 3.16.3" | ruby |
Affected
| ||||||
| Google Search vendor "Google" | Google-protobuf Search vendor "Google" for product "Google-protobuf" | >= 3.17.0 < 3.19.6 Search vendor "Google" for product "Google-protobuf" and version " >= 3.17.0 < 3.19.6" | ruby |
Affected
| ||||||
| Google Search vendor "Google" | Google-protobuf Search vendor "Google" for product "Google-protobuf" | >= 3.20.0 < 3.20.3 Search vendor "Google" for product "Google-protobuf" and version " >= 3.20.0 < 3.20.3" | ruby |
Affected
| ||||||
| Google Search vendor "Google" | Google-protobuf Search vendor "Google" for product "Google-protobuf" | >= 3.21.0 < 3.21.7 Search vendor "Google" for product "Google-protobuf" and version " >= 3.21.0 < 3.21.7" | ruby |
Affected
| ||||||
| Google Search vendor "Google" | Protobuf-java Search vendor "Google" for product "Protobuf-java" | < 3.16.3 Search vendor "Google" for product "Protobuf-java" and version " < 3.16.3" | - |
Affected
| ||||||
| Google Search vendor "Google" | Protobuf-java Search vendor "Google" for product "Protobuf-java" | >= 3.17.0 < 3.19.6 Search vendor "Google" for product "Protobuf-java" and version " >= 3.17.0 < 3.19.6" | - |
Affected
| ||||||
| Google Search vendor "Google" | Protobuf-java Search vendor "Google" for product "Protobuf-java" | >= 3.20.0 < 3.20.3 Search vendor "Google" for product "Protobuf-java" and version " >= 3.20.0 < 3.20.3" | - |
Affected
| ||||||
| Google Search vendor "Google" | Protobuf-java Search vendor "Google" for product "Protobuf-java" | >= 3.21.0 < 3.21.7 Search vendor "Google" for product "Protobuf-java" and version " >= 3.21.0 < 3.21.7" | - |
Affected
| ||||||
| Google Search vendor "Google" | Protobuf-javalite Search vendor "Google" for product "Protobuf-javalite" | < 3.16.3 Search vendor "Google" for product "Protobuf-javalite" and version " < 3.16.3" | - |
Affected
| ||||||
| Google Search vendor "Google" | Protobuf-javalite Search vendor "Google" for product "Protobuf-javalite" | >= 3.17.0 < 3.19.6 Search vendor "Google" for product "Protobuf-javalite" and version " >= 3.17.0 < 3.19.6" | - |
Affected
| ||||||
| Google Search vendor "Google" | Protobuf-javalite Search vendor "Google" for product "Protobuf-javalite" | >= 3.20.0 < 3.20.3 Search vendor "Google" for product "Protobuf-javalite" and version " >= 3.20.0 < 3.20.3" | - |
Affected
| ||||||
| Google Search vendor "Google" | Protobuf-javalite Search vendor "Google" for product "Protobuf-javalite" | >= 3.21.0 < 3.21.7 Search vendor "Google" for product "Protobuf-javalite" and version " >= 3.21.0 < 3.21.7" | - |
Affected
| ||||||
| Google Search vendor "Google" | Protobuf-kotlin Search vendor "Google" for product "Protobuf-kotlin" | < 3.16.3 Search vendor "Google" for product "Protobuf-kotlin" and version " < 3.16.3" | - |
Affected
| ||||||
| Google Search vendor "Google" | Protobuf-kotlin Search vendor "Google" for product "Protobuf-kotlin" | >= 3.17.0 < 3.19.6 Search vendor "Google" for product "Protobuf-kotlin" and version " >= 3.17.0 < 3.19.6" | - |
Affected
| ||||||
| Google Search vendor "Google" | Protobuf-kotlin Search vendor "Google" for product "Protobuf-kotlin" | >= 3.20.0 < 3.20.3 Search vendor "Google" for product "Protobuf-kotlin" and version " >= 3.20.0 < 3.20.3" | - |
Affected
| ||||||
| Google Search vendor "Google" | Protobuf-kotlin Search vendor "Google" for product "Protobuf-kotlin" | >= 3.21.0 < 3.21.7 Search vendor "Google" for product "Protobuf-kotlin" and version " >= 3.21.0 < 3.21.7" | - |
Affected
| ||||||
| Google Search vendor "Google" | Protobuf-kotlin-lite Search vendor "Google" for product "Protobuf-kotlin-lite" | < 3.16.3 Search vendor "Google" for product "Protobuf-kotlin-lite" and version " < 3.16.3" | - |
Affected
| ||||||
| Google Search vendor "Google" | Protobuf-kotlin-lite Search vendor "Google" for product "Protobuf-kotlin-lite" | >= 3.17.0 < 3.19.6 Search vendor "Google" for product "Protobuf-kotlin-lite" and version " >= 3.17.0 < 3.19.6" | - |
Affected
| ||||||
| Google Search vendor "Google" | Protobuf-kotlin-lite Search vendor "Google" for product "Protobuf-kotlin-lite" | >= 3.20.0 < 3.20.3 Search vendor "Google" for product "Protobuf-kotlin-lite" and version " >= 3.20.0 < 3.20.3" | - |
Affected
| ||||||
| Google Search vendor "Google" | Protobuf-kotlin-lite Search vendor "Google" for product "Protobuf-kotlin-lite" | >= 3.21.0 < 3.21.7 Search vendor "Google" for product "Protobuf-kotlin-lite" and version " >= 3.21.0 < 3.21.7" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||