Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00Z2c1LXZ4M2oteHdjN84AAwQz
Protobuf Java vulnerable to Uncontrolled Resource Consumption
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Permalink: https://github.com/advisories/GHSA-4gg5-vx3j-xwc7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00Z2c1LXZ4M2oteHdjN84AAwQz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 6 months ago
Updated: 4 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-4gg5-vx3j-xwc7, CVE-2022-3510
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-3510
- https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48
- https://github.com/advisories/GHSA-4gg5-vx3j-xwc7
Affected Packages
maven:com.google.protobuf:protobuf-javalite
Versions: >= 3.21.0, < 3.21.7, >= 3.20.0, < 3.20.3, >= 3.17.0, < 3.19.6, < 3.16.3Fixed in: 3.21.7, 3.20.3, 3.19.6, 3.16.3
maven:com.google.protobuf:protobuf-java
Versions: >= 3.21.0, < 3.21.7, >= 3.20.0, < 3.20.3, >= 3.17.0, < 3.19.6, < 3.16.3Fixed in: 3.21.7, 3.20.3, 3.19.6, 3.16.3