CVE-2022-3510 Parsing issue in protobuf message-type extension

2022-11-1116:35:20

Google

www.cve.org

cve-2022-3510

parsing issue

protobuf message-type extension

denial of service

update recommended

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.7

Confidence

High

EPSS

0.001

Percentile

33.6%

JSON

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "all"
    ],
    "product": "ProtocolBuffers",
    "repo": "https://github.com/protocolbuffers/protobuf/",
    "vendor": "Google",
    "versions": [
      {
        "lessThan": "3.21.7",
        "status": "affected",
        "version": "3.21.0",
        "versionType": "semver"
      },
      {
        "lessThan": "3.20.3",
        "status": "affected",
        "version": "3.20.0",
        "versionType": "semver"
      },
      {
        "lessThan": "3.19.6",
        "status": "affected",
        "version": "3.19.0",
        "versionType": "semver"
      },
      {
        "lessThan": "3.16.3",
        "status": "affected",
        "version": "3.16.0",
        "versionType": "semver"
      }
    ]
  }
]