скеName Overflow Vulnerability in Protocol Buffers
CVE-2024-7254

7.5HIGH

Key Information:

Vendor

Google

Vendor
CVE Published:
19 September 2024

What is CVE-2024-7254?

A vulnerability exists in Google Protocol Buffers where projects parsing untrusted Protocol Buffers data containing nested groups or multiple SGROUP tags risk exceeding the stack limit, leading to stack overflow. This occurs when the parsing method, using either DiscardUnknownFieldsParser or Java Protobuf Lite parser, processes unknown fields or Protobuf map fields, resulting in unbounded recursion that can be exploited by an attacker. Proper validations and limitations are critical to mitigate potential risks.

Affected Version(s)

google-protobuf [JRuby Gem] 0 < 3.25.5

google-protobuf [JRuby Gem] 0 < 4.27.5

google-protobuf [JRuby Gem] 0 < 4.28.2

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

Credit

Alexis Challande, Trail of Bits Ecosystem Security Team <[email protected]>
.