5.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:P/A:P
7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
0.002 Low
EPSS
Percentile
53.6%
Nanopb is a small code-size Protocol Buffers implementation in ansi C. In
Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed
message can cause invalid free()
or realloc()
calls if the message type
contains an oneof
field, and the oneof
directly contains both a pointer
field and a non-pointer field. If the message data first contains the
non-pointer field and then the pointer field, the data of the non-pointer
field is incorrectly treated as if it was a pointer value. Such message
data rarely occurs in normal messages, but it is a concern when untrusted
data is parsed. This has been fixed in versions 0.3.9.8 and 0.4.5. See
referenced GitHub Security Advisory for more information including
workarounds.
github.com/nanopb/nanopb/blob/c9124132a604047d0ef97a09c0e99cd9bed2c818/CHANGELOG.txt#L1
github.com/nanopb/nanopb/commit/e2f0ccf939d9f82931d085acb6df8e9a182a4261
github.com/nanopb/nanopb/issues/647
github.com/nanopb/nanopb/security/advisories/GHSA-7mv5-5mxh-qg88
launchpad.net/bugs/cve/CVE-2021-21401
nvd.nist.gov/vuln/detail/CVE-2021-21401
security-tracker.debian.org/tracker/CVE-2021-21401
ubuntu.com/security/notices/USN-6121-1
www.cve.org/CVERecord?id=CVE-2021-21401
5.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:P/A:P
7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
0.002 Low
EPSS
Percentile
53.6%