скеName Overflow Vulnerability in Protocol Buffers
CVE-2024-7254
7.5HIGH
What is CVE-2024-7254?
A vulnerability exists in Google Protocol Buffers where projects parsing untrusted Protocol Buffers data containing nested groups or multiple SGROUP tags risk exceeding the stack limit, leading to stack overflow. This occurs when the parsing method, using either DiscardUnknownFieldsParser or Java Protobuf Lite parser, processes unknown fields or Protobuf map fields, resulting in unbounded recursion that can be exploited by an attacker. Proper validations and limitations are critical to mitigate potential risks.
Affected Version(s)
google-protobuf [JRuby Gem] 0 < 3.25.5
google-protobuf [JRuby Gem] 0 < 4.27.5
google-protobuf [JRuby Gem] 0 < 4.28.2
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Credit
Alexis Challande, Trail of Bits Ecosystem Security Team <[email protected]>