Vulnerabilites related to Google - ProtocolBuffers
cve-2022-3509
Vulnerability from cvelistv5
Published
2022-11-01 18:09
Modified
2024-08-03 01:14
Severity ?
EPSS score ?
Summary
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ProtocolBuffers |
Version: 3.21.0 ≤ Version: 3.20.0 ≤ Version: 3.19.0 ≤ Version: 3.16.0 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T01:14:02.398Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", platforms: [ "all", ], product: "ProtocolBuffers", repo: "https://github.com/protocolbuffers/protobuf/", vendor: "Google", versions: [ { lessThan: "3.21.7", status: "affected", version: "3.21.0", versionType: "semver", }, { lessThan: "3.20.3", status: "affected", version: "3.20.0", versionType: "semver", }, { lessThan: "3.19.6", status: "affected", version: "3.19.0", versionType: "semver", }, { lessThan: "3.16.3", status: "affected", version: "3.16.0", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<span style=\"background-color: rgb(255, 255, 255);\">A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.</span>", }, ], value: "A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-12-12T12:11:04.548862Z", orgId: "14ed7db2-1595-443d-9d34-6215bf890778", shortName: "Google", }, references: [ { url: "https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9", }, ], source: { discovery: "UNKNOWN", }, title: "Parsing issue in protobuf textformat", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "14ed7db2-1595-443d-9d34-6215bf890778", assignerShortName: "Google", cveId: "CVE-2022-3509", datePublished: "2022-11-01T18:09:31.634Z", dateReserved: "2022-10-14T13:51:45.771Z", dateUpdated: "2024-08-03T01:14:02.398Z", requesterUserId: "0482d1dc-86d9-41dd-bdd2-3f4c4834e1b3", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-3510
Vulnerability from cvelistv5
Published
2022-11-11 16:35
Modified
2024-08-03 01:14
Severity ?
EPSS score ?
Summary
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ProtocolBuffers |
Version: 3.21.0 ≤ Version: 3.20.0 ≤ Version: 3.19.0 ≤ Version: 3.16.0 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T01:14:01.623Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "patch", "x_transferred", ], url: "https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", platforms: [ "all", ], product: "ProtocolBuffers", repo: "https://github.com/protocolbuffers/protobuf/", vendor: "Google", versions: [ { lessThan: "3.21.7", status: "affected", version: "3.21.0", versionType: "semver", }, { lessThan: "3.20.3", status: "affected", version: "3.20.0", versionType: "semver", }, { lessThan: "3.19.6", status: "affected", version: "3.19.0", versionType: "semver", }, { lessThan: "3.16.3", status: "affected", version: "3.16.0", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.</p>", }, ], value: "A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-12-12T12:11:04.548862Z", orgId: "14ed7db2-1595-443d-9d34-6215bf890778", shortName: "Google", }, references: [ { tags: [ "patch", ], url: "https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48", }, ], source: { discovery: "INTERNAL", }, title: "Parsing issue in protobuf message-type extension", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "14ed7db2-1595-443d-9d34-6215bf890778", assignerShortName: "Google", cveId: "CVE-2022-3510", datePublished: "2022-11-11T16:35:20.765Z", dateReserved: "2022-10-14T13:53:33.104Z", dateUpdated: "2024-08-03T01:14:01.623Z", requesterUserId: "0482d1dc-86d9-41dd-bdd2-3f4c4834e1b3", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }