GHSA-8gq9-2x98-w8hf

Source

https://github.com/advisories/GHSA-8gq9-2x98-w8hf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-8gq9-2x98-w8hf/GHSA-8gq9-2x98-w8hf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8gq9-2x98-w8hf

Aliases

CVE-2022-1941

Published

2022-09-23T20:31:15Z

Modified

2024-07-05T21:34:15.014207Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

protobuf-cpp and protobuf-python have potential Denial of Service issue

Details

Summary

A message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message, which could lead to a denial of service (DoS) on services using the libraries.

Reporter: ClusterFuzz

Affected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below.

Severity & Impact

As scored by google
Medium 5.7 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Asscored byt NIST
High 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

A small (~500 KB) malicious payload can be constructed which causes the running service to allocate more than 3GB of RAM.

Proof of Concept

For reproduction details, please refer to the unit test that identifies the specific inputs that exercise this parsing weakness.

Mitigation / Patching

Please update to the latest available versions of the following packages: - protobuf-cpp (3.18.3, 3.19.5, 3.20.2, 3.21.6) - protobuf-python (3.18.3, 3.19.5, 3.20.2, 4.21.6)

References

Affected packages

PyPI / protobuf

Package

Name: protobuf; View open source insights on deps.dev
Purl: pkg:pypi/protobuf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.18.3

Affected versions

2.*

2.0.0beta

2.0.3

2.3.0

2.4.1

2.5.0

2.6.0

2.6.1

3.*

3.0.0a2

3.0.0a3

3.0.0b1

3.0.0b1.post1

3.0.0b1.post2

3.0.0b2

3.0.0b2.post1

3.0.0b2.post2

3.0.0b3

3.0.0b4

3.0.0

3.1.0

3.1.0.post1

3.2.0rc1

3.2.0rc1.post1

3.2.0rc2

3.2.0

3.3.0

3.4.0

3.5.0.post1

3.5.1

3.5.2

3.5.2.post1

3.6.0

3.6.1

3.7.0rc2

3.7.0rc3

3.7.0

3.7.1

3.8.0rc1

3.8.0

3.9.0rc1

3.9.0

3.9.1

3.9.2

3.10.0rc1

3.10.0

3.11.0rc1

3.11.0rc2

3.11.0

3.11.1

3.11.2

3.11.3

3.12.0rc1

3.12.0rc2

3.12.0

3.12.1

3.12.2

3.12.4

3.13.0rc3

3.13.0

3.14.0rc1

3.14.0rc2

3.14.0rc3

3.14.0

3.15.0rc1

3.15.0rc2

3.15.0

3.15.1

3.15.2

3.15.3

3.15.4

3.15.5

3.15.6

3.15.7

3.15.8

3.16.0rc1

3.16.0rc2

3.16.0

3.17.0rc1

3.17.0rc2

3.17.0

3.17.1

3.17.2

3.17.3

3.18.0rc1

3.18.0rc2

3.18.0

3.18.1

PyPI / protobuf

Package

Name: protobuf; View open source insights on deps.dev
Purl: pkg:pypi/protobuf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.19.0

Fixed

3.19.5

Affected versions

3.*

3.19.0

3.19.1

3.19.2

3.19.3

3.19.4

PyPI / protobuf

Package

Name: protobuf; View open source insights on deps.dev
Purl: pkg:pypi/protobuf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.20.0

Fixed

3.20.2

Affected versions

3.*

3.20.0

3.20.1rc1

3.20.1

PyPI / protobuf

Package

Name: protobuf; View open source insights on deps.dev
Purl: pkg:pypi/protobuf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.21.6

Affected versions

4.*

4.21.0rc1

4.21.0rc2

4.21.0

4.21.1

4.21.2

4.21.3

4.21.4

4.21.5