скеName Overflow Vulnerability in Protocol Buffers
CVE-2024-7254

8.7HIGH

Key Information:

Vendor: Google
Status: Protocol Buffers; Protobuf-java; Protobuf-javalite; Protobuf-kotlin
Vendor: CVE Published:; 19 September 2024

What is CVE-2024-7254?

A vulnerability exists in Google Protocol Buffers where projects parsing untrusted Protocol Buffers data containing nested groups or multiple SGROUP tags risk exceeding the stack limit, leading to stack overflow. This occurs when the parsing method, using either DiscardUnknownFieldsParser or Java Protobuf Lite parser, processes unknown fields or Protobuf map fields, resulting in unbounded recursion that can be exploited by an attacker. Proper validations and limitations are critical to mitigate potential risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

google-protobuf [JRuby Gem] 0 < 3.25.5

google-protobuf [JRuby Gem] 0 < 4.27.5

google-protobuf [JRuby Gem] 0 < 4.28.2

References

https://github.com/protocolbuffers/protobuf/commit/cc8b34...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Sep 19, 2024

Credit

Alexis Challande, Trail of Bits Ecosystem Security Team <ecosystem@trailofbits.com>

JSON

Google

What is CVE-2024-7254?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.