Parsing issue in protobuf message-type extension
CVE-2022-3510

7.5HIGH

Key Information:

Vendor: Google
Status: Protocolbuffers
Vendor: CVE Published:; 12 December 2022

Summary

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Affected Version(s)

ProtocolBuffers all 3.21.0 < 3.21.7

ProtocolBuffers all 3.20.0 < 3.20.3

ProtocolBuffers all 3.19.0 < 3.19.6

References

https://github.com/protocolbuffers/protobuf/commit/db7c17...

patch

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 12, 2022
Vulnerability Reserved
Oct 14, 2022

Collectors

NVD DatabaseMitre Database