Out of Memory issue in ProtocolBuffers for cpp and python
CVE-2022-1941

7.5HIGH

Key Information:

Vendor: Google
Status: Protobuf-cpp; Protobuf-python
Vendor: CVE Published:; 22 September 2022

Summary

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Affected Version(s)

protobuf-cpp <= 3.16.1

protobuf-cpp <= 3.17.3

protobuf-cpp <= 3.18.2

References

https://cloud.google.com/support/bulletins#GCP-2022-019

https://github.com/protocolbuffers/protobuf/security/advi...

http://www.openwall.com/lists/oss-security/2022/09/27/1

mailing-list

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 22, 2022
Vulnerability Reserved
May 30, 2022

Collectors

NVD DatabaseMitre Database

Credit

CluterFuzz - https://google.github.io/clusterfuzz/