Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03N3JtLTl4OWgteGozZ80mxQ
NULL Pointer Dereference in Protocol Buffers
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.
Permalink: https://github.com/advisories/GHSA-77rm-9x9h-xj3gJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03N3JtLTl4OWgteGozZ80mxQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-77rm-9x9h-xj3g, CVE-2021-22570
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-22570
- https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0
- https://lists.fedoraproject.org/archives/list/[email protected]/message/IFX6KPNOFHYD6L4XES5PCM3QNSKZBOTQ/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/3DVUZPALAQ34TQP6KFNLM4IZS6B32XSA/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/BTRGBRC5KGCA4SK5MUNLPYJRAGXMBIYY/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/NVTWVQRB5OCCTMKEQFY5MYED3DXDVSLP/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/KQJB6ZPRLKV6WCMX2PRRRQBFAOXFBK6B/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://security.netapp.com/advisory/ntap-20220429-0005/
- https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
- https://github.com/advisories/GHSA-77rm-9x9h-xj3g
Blast Radius: 111.3
Affected Packages
maven:com.google.protobuf:protobuf-java
Dependent packages: 5,130Dependent repositories: 38,630
Downloads:
Affected Version Ranges: < 3.15.0
Fixed in: 3.15.0
All affected versions: 2.0.1, 2.0.3, 2.1.0, 2.2.0, 2.3.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 3.0.0, 3.0.2, 3.1.0, 3.2.0, 3.3.0, 3.3.1, 3.4.0, 3.5.0, 3.5.1, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 3.10.0, 3.11.0, 3.11.1, 3.11.3, 3.11.4, 3.12.0, 3.12.1, 3.12.2, 3.12.4, 3.13.0, 3.14.0
All unaffected versions: 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.15.4, 3.15.5, 3.15.6, 3.15.7, 3.15.8, 3.16.0, 3.16.1, 3.16.3, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.18.0, 3.18.1, 3.18.2, 3.18.3, 3.19.0, 3.19.1, 3.19.2, 3.19.3, 3.19.4, 3.19.5, 3.19.6, 3.20.0, 3.20.1, 3.20.2, 3.20.3, 3.21.0, 3.21.1, 3.21.2, 3.21.3, 3.21.4, 3.21.5, 3.21.6, 3.21.7, 3.21.8, 3.21.9, 3.21.10, 3.21.11, 3.21.12, 3.22.0, 3.22.1, 3.22.2, 3.22.3, 3.22.4, 3.22.5, 3.23.0, 3.23.1, 3.23.2, 3.23.3, 3.23.4, 3.24.0, 3.24.1, 3.24.2, 3.24.3, 3.24.4, 3.25.0, 3.25.1, 3.25.2, 3.25.3, 3.25.4, 3.25.5, 4.26.0, 4.26.1, 4.27.0, 4.27.1, 4.27.2, 4.27.3, 4.27.4, 4.27.5, 4.28.0, 4.28.1, 4.28.2
pypi:protobuf
Dependent packages: 3,080Dependent repositories: 107,822
Downloads: 278,559,728 last month
Affected Version Ranges: < 3.15.0
Fixed in: 3.15.0
All affected versions: 2.0.3, 2.3.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 3.0.0, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 3.10.0, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.12.0, 3.12.1, 3.12.2, 3.12.4, 3.13.0, 3.14.0
All unaffected versions: 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.15.4, 3.15.5, 3.15.6, 3.15.7, 3.15.8, 3.16.0, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.18.0, 3.18.1, 3.18.3, 3.19.0, 3.19.1, 3.19.2, 3.19.3, 3.19.4, 3.19.5, 3.19.6, 3.20.0, 3.20.1, 3.20.2, 3.20.3, 4.21.0, 4.21.1, 4.21.2, 4.21.3, 4.21.4, 4.21.5, 4.21.6, 4.21.7, 4.21.8, 4.21.9, 4.21.10, 4.21.11, 4.21.12, 4.22.0, 4.22.1, 4.22.3, 4.22.4, 4.22.5, 4.23.0, 4.23.1, 4.23.2, 4.23.3, 4.23.4, 4.24.0, 4.24.1, 4.24.2, 4.24.3, 4.24.4, 4.25.0, 4.25.1, 4.25.2, 4.25.3, 4.25.4, 4.25.5, 5.26.0, 5.26.1, 5.27.0, 5.27.1, 5.27.2, 5.27.3, 5.27.4, 5.27.5, 5.28.0, 5.28.1, 5.28.2
go:github.com/protocolbuffers/protobuf
Dependent packages: 5Dependent repositories: 68
Downloads:
Affected Version Ranges: < 3.15.0
Fixed in: 3.15.0
All affected versions: 2.4.1, 2.5.0, 2.6.0, 2.6.1, 3.0.0, 3.0.2, 3.1.0, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 3.10.0, 3.10.1, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.13.0, 3.14.0
All unaffected versions: 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.15.4, 3.15.5, 3.15.6, 3.15.7, 3.15.8, 3.16.0, 3.16.1, 3.16.2, 3.16.3, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.18.0, 3.18.1, 3.18.2, 3.18.3, 3.19.0, 3.19.1, 3.19.2, 3.19.3, 3.19.4, 3.19.5, 3.19.6, 3.20.0, 3.20.1, 3.20.2, 3.20.3, 3.21.0, 3.21.1, 3.21.2, 3.21.3, 3.21.4, 3.21.5, 3.21.6, 3.21.7, 3.21.8, 3.21.9, 3.21.10, 3.21.11, 3.21.12, 3.22.0, 3.22.1, 3.22.2, 3.22.3, 3.22.4, 3.22.5, 3.23.0, 3.23.1, 3.23.2, 3.23.3, 3.23.4, 3.24.0, 3.24.1, 3.24.2, 3.24.3, 3.24.4, 3.25.0, 3.25.1, 3.25.2, 3.25.3, 3.25.4, 3.25.5, 3.26.0, 3.26.1, 3.27.0, 3.27.1, 3.27.2, 3.27.3, 3.27.4, 3.27.5, 3.28.0, 3.28.1, 3.28.2, 4.22.0, 4.22.1, 4.22.2, 4.22.3, 4.22.4, 4.22.5, 4.23.0, 4.23.1, 4.23.2, 4.23.3, 4.23.4, 4.24.0, 4.24.1, 4.24.2, 4.24.3, 4.24.4, 4.25.0, 4.25.1, 4.25.2, 4.25.3, 4.25.4, 4.25.5, 5.26.0, 5.26.1, 5.27.0, 5.27.1, 5.27.2, 5.27.3, 5.27.4, 5.27.5, 5.28.0, 5.28.1, 5.28.2
packagist:google/protobuf
Dependent packages: 298Dependent repositories: 1,794
Downloads: 74,140,990 total
Affected Version Ranges: < 3.15.0
Fixed in: 3.15.0
All affected versions: 3.3.0, 3.3.1, 3.3.2, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 3.10.0, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.12.0, 3.12.1, 3.12.2, 3.12.4, 3.13.0, 3.14.0
All unaffected versions: 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.15.4, 3.15.5, 3.15.6, 3.15.7, 3.15.8, 3.16.0, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.18.0, 3.18.1, 3.18.2, 3.18.3, 3.19.0, 3.19.1, 3.19.2, 3.19.3, 3.19.4, 3.19.5, 3.19.6, 3.20.0, 3.20.1, 3.20.2, 3.20.3, 3.21.0, 3.21.1, 3.21.2, 3.21.3, 3.21.4, 3.21.5, 3.21.6, 3.21.7, 3.21.8, 3.21.9, 3.21.10, 3.21.11, 3.21.12, 3.22.0, 3.22.1, 3.22.2, 3.22.3, 3.22.4, 3.22.5, 3.23.0, 3.23.1, 3.23.2, 3.23.3, 3.23.4, 3.24.0, 3.24.1, 3.24.2, 3.24.3, 3.24.4, 3.25.0, 3.25.1, 3.25.2, 3.25.3, 3.25.4, 3.25.5, 4.26.0, 4.26.1, 4.27.0, 4.27.1, 4.27.2, 4.27.3, 4.27.4, 4.27.5, 4.28.0, 4.28.1, 4.28.2
nuget:Google.Protobuf
Dependent packages: 986Dependent repositories: 0
Downloads: 531,894,079 total
Affected Version Ranges: < 3.15.0
Fixed in: 3.15.0
All affected versions: 3.0.0, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, 3.6.1, 3.7.0, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 3.10.0, 3.10.1, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.13.0, 3.14.0
All unaffected versions: 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.15.4, 3.15.5, 3.15.6, 3.15.7, 3.15.8, 3.16.0, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.18.0, 3.18.1, 3.18.2, 3.18.3, 3.19.0, 3.19.1, 3.19.2, 3.19.3, 3.19.4, 3.19.5, 3.19.6, 3.20.0, 3.20.1, 3.20.2, 3.20.3, 3.21.0, 3.21.1, 3.21.2, 3.21.3, 3.21.4, 3.21.5, 3.21.6, 3.21.7, 3.21.8, 3.21.9, 3.21.10, 3.21.11, 3.21.12, 3.22.0, 3.22.1, 3.22.3, 3.22.4, 3.22.5, 3.23.0, 3.23.1, 3.23.2, 3.23.3, 3.23.4, 3.24.0, 3.24.1, 3.24.2, 3.24.3, 3.24.4, 3.25.0, 3.25.1, 3.25.2, 3.25.3, 3.25.4, 3.25.5, 3.26.0, 3.26.1, 3.27.0, 3.27.1, 3.27.2, 3.27.3, 3.27.4, 3.27.5, 3.28.0, 3.28.1, 3.28.2