7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
30.0%
A potential Denial of Service issue in protobuf-java
core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.
Reporter: OSS Fuzz
Affected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.
CVE-2022-3171 Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)
Please update to the latest available versions of the following packages:
protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3)
protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3)
protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)
bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771
github.com/advisories/GHSA-h4h5-3hr4-j3g2
github.com/protocolbuffers/protobuf/releases/tag/v21.7
github.com/protocolbuffers/protobuf/releases/tag/v3.16.3
github.com/protocolbuffers/protobuf/releases/tag/v3.19.6
github.com/protocolbuffers/protobuf/releases/tag/v3.20.3
github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2022-3171.yml
lists.fedoraproject.org/archives/list/[email protected]/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/
lists.fedoraproject.org/archives/list/[email protected]/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/
nvd.nist.gov/vuln/detail/CVE-2022-3171
security.gentoo.org/glsa/202301-09
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
30.0%