GHSA-h4h5-3hr4-j3g2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-h4h5-3hr4-j3g2
- Aliases
- Related
- Published
- 2022-10-04T22:17:15Z
- Modified
- 2024-10-22T05:28:55.628053Z
- Severity
-
- 5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- protobuf-java has a potential Denial of Service issue
- Details
-
Summary
A potential Denial of Service issue in
protobuf-javacore and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.Reporter: OSS Fuzz
Affected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.
Severity
CVE-2022-3171 Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)
Remediation and Mitigation
Please update to the latest available versions of the following packages:
protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3) google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)
- References
-
- https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
- https://nvd.nist.gov/vuln/detail/CVE-2022-3171
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771
- https://github.com/protocolbuffers/protobuf
- https://github.com/protocolbuffers/protobuf/releases/tag/v21.7
- https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3
- https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6
- https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2022-3171.yml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP
- https://security.gentoo.org/glsa/202301-09
Affected packages
Maven / com.google.protobuf:protobuf-java
Package
- Name
- com.google.protobuf:protobuf-java
- View open source insights on deps.dev
- Purl
- pkg:maven/com.google.protobuf/protobuf-java
Maven / com.google.protobuf:protobuf-kotlin
Package
- Name
- com.google.protobuf:protobuf-kotlin
- View open source insights on deps.dev
- Purl
- pkg:maven/com.google.protobuf/protobuf-kotlin
RubyGems / google-protobuf
Package
- Name
- google-protobuf
- Purl
- pkg:gem/google-protobuf
Maven / com.google.protobuf:protobuf-javalite
Package
- Name
- com.google.protobuf:protobuf-javalite
- View open source insights on deps.dev
- Purl
- pkg:maven/com.google.protobuf/protobuf-javalite
Maven / com.google.protobuf:protobuf-kotlin-lite
Package
- Name
- com.google.protobuf:protobuf-kotlin-lite
- View open source insights on deps.dev
- Purl
- pkg:maven/com.google.protobuf/protobuf-kotlin-lite
Maven / com.google.protobuf:protobuf-java
Package
- Name
- com.google.protobuf:protobuf-java
- View open source insights on deps.dev
- Purl
- pkg:maven/com.google.protobuf/protobuf-java
Maven / com.google.protobuf:protobuf-java
Package
- Name
- com.google.protobuf:protobuf-java
- View open source insights on deps.dev
- Purl
- pkg:maven/com.google.protobuf/protobuf-java
Maven / com.google.protobuf:protobuf-java
Package
- Name
- com.google.protobuf:protobuf-java
- View open source insights on deps.dev
- Purl
- pkg:maven/com.google.protobuf/protobuf-java
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.16.3
Affected versions
2.*
2.0.1
2.0.3
2.1.0
2.2.0
2.3.0
2.4.0a
2.4.1
2.5.0
2.6.0
2.6.1
3.*
3.0.0-alpha-2
3.0.0-alpha-3
3.0.0-alpha-3.1
3.0.0-beta-1
3.0.0-beta-2
3.0.0-beta-3
3.0.0-beta-4
3.0.0
3.0.2
3.1.0
3.2.0rc2
3.2.0-rc.1
3.2.0
3.3.0
3.3.1
3.4.0
3.5.0
3.5.1
3.6.0
3.6.1
3.7.0-rc1
3.7.0
3.7.1
3.8.0-rc-1
3.8.0
3.9.0-rc-1
3.9.0
3.9.1
3.9.2
3.10.0-rc-1
3.10.0
3.11.0-rc-1
3.11.0-rc-2
3.11.0
3.11.1
3.11.3
3.11.4
3.12.0-rc-1
3.12.0-rc-2
3.12.0
3.12.1
3.12.2
3.12.4
3.13.0-rc-3
3.13.0
3.14.0-rc-1
3.14.0-rc-2
3.14.0-rc-3
3.14.0
3.15.0-rc-1
3.15.0-rc-2
3.15.0
3.15.1
3.15.2
3.15.3
3.15.4
3.15.5
3.15.6
3.15.7
3.15.8
3.16.0-rc-1
3.16.0-rc-2
3.16.0
3.16.1
Maven / com.google.protobuf:protobuf-kotlin
Package
- Name
- com.google.protobuf:protobuf-kotlin
- View open source insights on deps.dev
- Purl
- pkg:maven/com.google.protobuf/protobuf-kotlin
Maven / com.google.protobuf:protobuf-kotlin
Package
- Name
- com.google.protobuf:protobuf-kotlin
- View open source insights on deps.dev
- Purl
- pkg:maven/com.google.protobuf/protobuf-kotlin
Maven / com.google.protobuf:protobuf-kotlin
Package
- Name
- com.google.protobuf:protobuf-kotlin
- View open source insights on deps.dev
- Purl
- pkg:maven/com.google.protobuf/protobuf-kotlin
RubyGems / google-protobuf
Package
- Name
- google-protobuf
- Purl
- pkg:gem/google-protobuf
RubyGems / google-protobuf
Package
- Name
- google-protobuf
- Purl
- pkg:gem/google-protobuf
RubyGems / google-protobuf
Package
- Name
- google-protobuf
- Purl
- pkg:gem/google-protobuf
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.16.3
Affected versions
3.*
3.0.0.alpha.1.0
3.0.0.alpha.1.1
3.0.0.alpha.2.0
3.0.0.alpha.3
3.0.0.alpha.3.1.pre
3.0.0.alpha.4.0
3.0.0.alpha.5.0.3
3.0.0.alpha.5.0.4
3.0.0.alpha.5.0.5
3.0.0.alpha.5.0.5.1
3.0.0
3.0.2
3.1.0.0.pre
3.1.0
3.2.0
3.2.0.1
3.2.0.2
3.2.1.pre
3.3.0
3.4.0.1
3.4.0.2
3.4.1.1
3.5.0.pre
3.5.0
3.5.1
3.5.1.1
3.5.1.2
3.6.0
3.6.1
3.7.0.rc.2
3.7.0.rc.3
3.7.0
3.7.1
3.8.0.rc.1
3.8.0
3.9.0.rc.1
3.9.0
3.9.1
3.9.2
3.10.0.rc.1
3.10.1
3.11.0.rc.1
3.11.0.rc.2
3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.12.0.rc.1
3.12.0.rc.2
3.12.0
3.12.1
3.12.2
3.12.4
3.13.0.rc.3
3.13.0
3.14.0.rc.1
3.14.0.rc.2
3.14.0.rc.3
3.14.0
3.15.0.rc.1
3.15.0.rc.2
3.15.0
3.15.1
3.15.2
3.15.3
3.15.4
3.15.5
3.15.6
3.15.7
3.15.8
3.16.0.rc.1
3.16.0.rc.2
3.16.0
Maven / com.google.protobuf:protobuf-javalite
Package
- Name
- com.google.protobuf:protobuf-javalite
- View open source insights on deps.dev
- Purl
- pkg:maven/com.google.protobuf/protobuf-javalite
Maven / com.google.protobuf:protobuf-javalite
Package
- Name
- com.google.protobuf:protobuf-javalite
- View open source insights on deps.dev
- Purl
- pkg:maven/com.google.protobuf/protobuf-javalite
Maven / com.google.protobuf:protobuf-javalite
Package
- Name
- com.google.protobuf:protobuf-javalite
- View open source insights on deps.dev
- Purl
- pkg:maven/com.google.protobuf/protobuf-javalite
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.16.3
Affected versions
3.*
3.8.0-rc-1
3.8.0
3.9.0-rc-1
3.9.0
3.9.1
3.9.2
3.10.0-rc-1
3.10.0
3.11.0-rc-1
3.11.0-rc-2
3.11.0
3.11.1
3.11.3
3.11.4
3.12.0-rc-1
3.12.0-rc-2
3.12.0
3.12.1
3.12.2
3.12.4
3.13.0-rc-3
3.13.0
3.14.0-rc-1
3.14.0-rc-2
3.14.0-rc-3
3.14.0
3.15.0-rc-1
3.15.0-rc-2
3.15.0
3.15.1
3.15.2
3.15.3
3.15.4
3.15.5
3.15.6
3.15.7
3.15.8
3.16.0-rc-1
3.16.0-rc-2
3.16.0
3.16.1
Maven / com.google.protobuf:protobuf-kotlin-lite
Package
- Name
- com.google.protobuf:protobuf-kotlin-lite
- View open source insights on deps.dev
- Purl
- pkg:maven/com.google.protobuf/protobuf-kotlin-lite
Maven / com.google.protobuf:protobuf-kotlin-lite
Package
- Name
- com.google.protobuf:protobuf-kotlin-lite
- View open source insights on deps.dev
- Purl
- pkg:maven/com.google.protobuf/protobuf-kotlin-lite
Maven / com.google.protobuf:protobuf-kotlin-lite
Package
- Name
- com.google.protobuf:protobuf-kotlin-lite
- View open source insights on deps.dev
- Purl
- pkg:maven/com.google.protobuf/protobuf-kotlin-lite