Memory handling vulnerability in ProtocolBuffers Java core and lite
CVE-2022-3171

4.3MEDIUM

Key Information:

Vendor: Google
Status: Protocolbuffers
Vendor: CVE Published:; 12 October 2022

Summary

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Affected Version(s)

Protocolbuffers core and lite 3.21.7

Protocolbuffers core and lite 3.20.3

Protocolbuffers core and lite 3.19.6

References

https://github.com/protocolbuffers/protobuf/security/advi...

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

https://security.gentoo.org/glsa/202301-09

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 12, 2022
Vulnerability Reserved
Sep 9, 2022

Collectors

NVD DatabaseMitre Database