gsd-2021-3121
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-3121",
"description": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.",
"id": "GSD-2021-3121",
"references": [
"https://www.suse.com/security/cve/CVE-2021-3121.html",
"https://access.redhat.com/errata/RHSA-2022:0283",
"https://access.redhat.com/errata/RHSA-2021:4104",
"https://access.redhat.com/errata/RHBA-2021:3760",
"https://access.redhat.com/errata/RHSA-2021:3759",
"https://access.redhat.com/errata/RHSA-2021:3303",
"https://access.redhat.com/errata/RHSA-2021:3262",
"https://access.redhat.com/errata/RHSA-2021:3259",
"https://access.redhat.com/errata/RHSA-2021:2977",
"https://access.redhat.com/errata/RHSA-2021:2920",
"https://access.redhat.com/errata/RHSA-2021:2438",
"https://access.redhat.com/errata/RHSA-2021:2437",
"https://access.redhat.com/errata/RHSA-2021:2374",
"https://access.redhat.com/errata/RHSA-2021:2286",
"https://access.redhat.com/errata/RHSA-2021:2136",
"https://access.redhat.com/errata/RHSA-2021:2121",
"https://access.redhat.com/errata/RHSA-2021:1563",
"https://access.redhat.com/errata/RHSA-2021:1552",
"https://access.redhat.com/errata/RHBA-2021:1365",
"https://access.redhat.com/errata/RHSA-2021:1227",
"https://access.redhat.com/errata/RHSA-2021:1225",
"https://access.redhat.com/errata/RHSA-2021:1007",
"https://access.redhat.com/errata/RHSA-2021:1006",
"https://access.redhat.com/errata/RHSA-2021:1005",
"https://access.redhat.com/errata/RHSA-2021:0799",
"https://access.redhat.com/errata/RHSA-2021:0719",
"https://access.redhat.com/errata/RHSA-2021:0607",
"https://access.redhat.com/errata/RHSA-2020:5635",
"https://access.redhat.com/errata/RHSA-2020:5634",
"https://access.redhat.com/errata/RHSA-2020:5633",
"https://access.redhat.com/errata/RHSA-2022:0056",
"https://access.redhat.com/errata/RHSA-2022:0577",
"https://access.redhat.com/errata/RHSA-2022:1276",
"https://access.redhat.com/errata/RHSA-2022:1679",
"https://access.redhat.com/errata/RHSA-2022:6536",
"https://access.redhat.com/errata/RHSA-2022:6916"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-3121"
],
"details": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.",
"id": "GSD-2021-3121",
"modified": "2023-12-13T01:23:35.291459Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-3121",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc",
"refsource": "MISC",
"url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc"
},
{
"name": "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2",
"refsource": "MISC",
"url": "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2"
},
{
"name": "[pulsar-commits] 20210121 [GitHub] [pulsar-client-go] hrsakai opened a new pull request #446: Upgrade gogo/protobuf to 1.3.2",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210122 [GitHub] [pulsar-client-go] hrsakai opened a new pull request #446: Upgrade gogo/protobuf to 1.3.2",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210219-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210219-0006/"
},
{
"name": "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025",
"refsource": "MISC",
"url": "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025"
},
{
"name": "[skywalking-notifications] 20211018 [GitHub] [skywalking-swck] hanahmily opened a new pull request #37: Fix vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003cv1.3.2",
"affected_versions": "All versions before 1.3.2",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-129",
"CWE-937"
],
"date": "2022-03-29",
"description": "An issue was discovered in GoGo Protobuf before 1.3.2. The file `plugin/unmarshal/unmarshal.go` lacks certain index validation, aka the `skippy peanut butter` issue.",
"fixed_versions": [
"v1.3.2"
],
"identifier": "CVE-2021-3121",
"identifiers": [
"GHSA-c3h9-896r-86jm",
"CVE-2021-3121"
],
"not_impacted": "All versions starting from 1.3.2",
"package_slug": "go/github.com/gogo/protobuf",
"pubdate": "2022-03-28",
"solution": "Upgrade to version 1.3.2 or above.",
"title": "Improper Validation of Array Index",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-3121",
"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc",
"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025",
"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2",
"https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E",
"https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E",
"https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E",
"https://security.netapp.com/advisory/ntap-20210219-0006/",
"https://github.com/advisories/GHSA-c3h9-896r-86jm"
],
"uuid": "3cd1f84d-7102-40b0-a281-7ed4980a236a",
"versions": [
{
"commit": {
"sha": "b03c65ea87cdc3521ede29f62fe3ce239267c1bc",
"tags": [
"v1.3.2"
],
"timestamp": "20210110080147"
},
"number": "v1.3.2"
}
]
},
{
"affected_range": "\u003cv1.3.2",
"affected_versions": "All versions before 1.3.2",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-129",
"CWE-937"
],
"date": "2023-02-09",
"description": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.",
"fixed_versions": [
"v1.3.2"
],
"identifier": "CVE-2021-3121",
"identifiers": [
"GHSA-c3h9-896r-86jm",
"CVE-2021-3121"
],
"not_impacted": "All versions starting from 1.3.2",
"package_slug": "go/github.com/gogo/protobuf/plugin/unmarshal",
"pubdate": "2022-03-28",
"solution": "Upgrade to version 1.3.2 or above.",
"title": "Improper Validation of Array Index",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-3121",
"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc",
"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025",
"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2",
"https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E",
"https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E",
"https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E",
"https://security.netapp.com/advisory/ntap-20210219-0006/",
"https://pkg.go.dev/vuln/GO-2021-0053",
"https://github.com/advisories/GHSA-c3h9-896r-86jm"
],
"uuid": "70af9ed3-3d82-4a5f-8669-c1fb49bc060c",
"versions": [
{
"commit": {
"sha": "b03c65ea87cdc3521ede29f62fe3ce239267c1bc",
"tags": [
"v1.3.2"
],
"timestamp": "20210110080147"
},
"number": "v1.3.2"
}
]
},
{
"affected_range": "\u003cv1.3.2",
"affected_versions": "All versions before 1.3.2",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-129",
"CWE-937"
],
"date": "2022-04-01",
"description": "An issue was discovered in GoGo Protobuf `plugin/unmarshal/unmarshal.go` lacks certain index validation.",
"fixed_versions": [
"v1.3.2"
],
"identifier": "CVE-2021-3121",
"identifiers": [
"CVE-2021-3121"
],
"not_impacted": "",
"package_slug": "go/github.com/gogo/protobuf/protoc-gen-gofast",
"pubdate": "2021-01-11",
"solution": "Upgrade to version 1.3.2 or above.",
"title": "Improper Validation of Array Index",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-3121"
],
"uuid": "b400f995-0b82-42f4-bd61-d912abb9f025",
"versions": [
{
"commit": {
"sha": "b03c65ea87cdc3521ede29f62fe3ce239267c1bc",
"tags": [
"v1.3.2"
],
"timestamp": "20210110080147"
},
"number": "v1.3.2"
}
]
},
{
"affected_range": "\u003cv1.3.2",
"affected_versions": "All versions before 1.3.2",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-129",
"CWE-937"
],
"date": "2023-02-09",
"description": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.",
"fixed_versions": [
"v1.3.2"
],
"identifier": "CVE-2021-3121",
"identifiers": [
"GHSA-c3h9-896r-86jm",
"CVE-2021-3121"
],
"not_impacted": "All versions starting from 1.3.2",
"package_slug": "go/github.com/gogo/protobuf/test",
"pubdate": "2022-03-28",
"solution": "Upgrade to version 1.3.2 or above.",
"title": "Improper Validation of Array Index",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-3121",
"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc",
"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025",
"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2",
"https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E",
"https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E",
"https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E",
"https://security.netapp.com/advisory/ntap-20210219-0006/",
"https://pkg.go.dev/vuln/GO-2021-0053",
"https://github.com/advisories/GHSA-c3h9-896r-86jm"
],
"uuid": "5fd840a6-ae6c-4049-b380-e5d34a76a2c2",
"versions": [
{
"commit": {
"sha": "b03c65ea87cdc3521ede29f62fe3ce239267c1bc",
"tags": [
"v1.3.2"
],
"timestamp": "20210110080147"
},
"number": "v1.3.2"
}
]
},
{
"affected_range": "\u003cv1.3.2",
"affected_versions": "All versions before 1.3.2",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-129",
"CWE-937"
],
"date": "2023-02-09",
"description": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.",
"fixed_versions": [
"v1.3.2"
],
"identifier": "CVE-2021-3121",
"identifiers": [
"GHSA-c3h9-896r-86jm",
"CVE-2021-3121"
],
"not_impacted": "All versions starting from 1.3.2",
"package_slug": "go/github.com/gogo/protobuf/types",
"pubdate": "2022-03-28",
"solution": "Upgrade to version 1.3.2 or above.",
"title": "Improper Validation of Array Index",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-3121",
"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc",
"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025",
"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2",
"https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E",
"https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E",
"https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E",
"https://security.netapp.com/advisory/ntap-20210219-0006/",
"https://pkg.go.dev/vuln/GO-2021-0053",
"https://github.com/advisories/GHSA-c3h9-896r-86jm"
],
"uuid": "ac094f3f-197e-4deb-bc26-b827e9f6527e",
"versions": [
{
"commit": {
"sha": "b03c65ea87cdc3521ede29f62fe3ce239267c1bc",
"tags": [
"v1.3.2"
],
"timestamp": "20210110080147"
},
"number": "v1.3.2"
}
]
},
{
"affected_range": "\u003cv1.3.2",
"affected_versions": "All versions before 1.3.2",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-129",
"CWE-937"
],
"date": "2023-02-09",
"description": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.",
"fixed_versions": [
"v1.3.2"
],
"identifier": "CVE-2021-3121",
"identifiers": [
"GHSA-c3h9-896r-86jm",
"CVE-2021-3121"
],
"not_impacted": "All versions starting from 1.3.2",
"package_slug": "go/github.com/gogo/protobuf/vanity/test",
"pubdate": "2022-03-28",
"solution": "Upgrade to version 1.3.2 or above.",
"title": "Improper Validation of Array Index",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-3121",
"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc",
"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025",
"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2",
"https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E",
"https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E",
"https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E",
"https://security.netapp.com/advisory/ntap-20210219-0006/",
"https://pkg.go.dev/vuln/GO-2021-0053",
"https://github.com/advisories/GHSA-c3h9-896r-86jm"
],
"uuid": "19cd20cd-f788-4f7e-be9c-a99a6ae236d2",
"versions": [
{
"commit": {
"sha": "b03c65ea87cdc3521ede29f62fe3ce239267c1bc",
"tags": [
"v1.3.2"
],
"timestamp": "20210110080147"
},
"number": "v1.3.2"
}
]
},
{
"affected_range": "\u003cv1.8.15 || \u003e=v1.9.0 \u003cv1.9.9 || \u003e=v1.10.0 \u003cv1.10.2",
"affected_versions": "All versions before 1.8.15, all versions starting from 1.9.0 before 1.9.9, all versions starting from 1.10.0 before 1.10.2",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-129",
"CWE-937"
],
"date": "2021-09-14",
"description": "An issue was discovered in GoGo Protobuf `plugin/unmarshal/unmarshal.go` lacks certain index validation, aka the `skippy peanut butter` issue.",
"fixed_versions": [
"v1.8.15",
"v1.9.9",
"v1.10.2"
],
"identifier": "CVE-2021-3121",
"identifiers": [
"CVE-2021-3121"
],
"not_impacted": "All versions starting from 1.8.15 before 1.9.0, all versions starting from 1.9.9 before 1.10.0, all versions starting from 1.10.2",
"package_slug": "go/github.com/hashicorp/consul/acl",
"pubdate": "2021-01-11",
"solution": "Upgrade to versions 1.8.15, 1.9.9, 1.10.2 or above.",
"title": "Improper Validation of Array Index",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-3121"
],
"uuid": "231b4e74-78e0-4c9b-8768-91a89abce0d6",
"versions": [
{
"commit": {
"sha": "0e06cada935d33208c080b6a912cb9683f961dee",
"tags": [
"v1.9.0"
],
"timestamp": "20201124190548"
},
"number": "v1.9.0"
},
{
"commit": {
"sha": "286bb61839d159bb9597d68d13f2f63ccd5e7bdd",
"tags": [
"v1.10.0"
],
"timestamp": "20210622172115"
},
"number": "v1.10.0"
},
{
"commit": {
"sha": "8159a14bed92f774437618587fc8b38fe603ade1",
"tags": [
"v1.9.9"
],
"timestamp": "20210827160612"
},
"number": "v1.9.9"
},
{
"commit": {
"sha": "9eccfe0e6126f40cd84f48e1a267861645f9e21b",
"tags": [
"v1.8.15"
],
"timestamp": "20210827162802"
},
"number": "v1.8.15"
},
{
"commit": {
"sha": "8fba564a86d1857c2e91aa0b16939ad2e75aeb62",
"tags": [
"v1.10.2"
],
"timestamp": "20210827194405"
},
"number": "v1.10.2"
}
]
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:golang:protobuf:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.3.2",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.8.15",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.8.15",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.9.9",
"versionStartIncluding": "1.9.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.9.9",
"versionStartIncluding": "1.9.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.10.2",
"versionStartIncluding": "1.10.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.10.2",
"versionStartIncluding": "1.10.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-3121"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-129"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2"
},
{
"name": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc"
},
{
"name": "[pulsar-commits] 20210122 [GitHub] [pulsar-client-go] hrsakai opened a new pull request #446: Upgrade gogo/protobuf to 1.3.2",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210121 [GitHub] [pulsar-client-go] hrsakai opened a new pull request #446: Upgrade gogo/protobuf to 1.3.2",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210219-0006/",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210219-0006/"
},
{
"name": "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025"
},
{
"name": "[skywalking-notifications] 20211018 [GitHub] [skywalking-swck] hanahmily opened a new pull request #37: Fix vulnerabilities",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.7
}
},
"lastModifiedDate": "2022-04-01T15:41Z",
"publishedDate": "2021-01-11T06:15Z"
}
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.