Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03N3JtLTl4OWgteGozZ80mxQ
NULL Pointer Dereference in Protocol Buffers
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.
Permalink: https://github.com/advisories/GHSA-77rm-9x9h-xj3gJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03N3JtLTl4OWgteGozZ80mxQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: 3 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Percentage: 0.00045
EPSS Percentile: 0.17538
Identifiers: GHSA-77rm-9x9h-xj3g, CVE-2021-22570
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-22570
- https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
- https://github.com/advisories/GHSA-77rm-9x9h-xj3g
- https://github.com/pypa/advisory-database/tree/main/vulns/protobuf/PYSEC-2022-48.yaml
- https://lists.fedoraproject.org/archives/list/[email protected]/message/3DVUZPALAQ34TQP6KFNLM4IZS6B32XSA
- https://lists.fedoraproject.org/archives/list/[email protected]/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X
- https://lists.fedoraproject.org/archives/list/[email protected]/message/BTRGBRC5KGCA4SK5MUNLPYJRAGXMBIYY
- https://lists.fedoraproject.org/archives/list/[email protected]/message/IFX6KPNOFHYD6L4XES5PCM3QNSKZBOTQ
- https://lists.fedoraproject.org/archives/list/[email protected]/message/KQJB6ZPRLKV6WCMX2PRRRQBFAOXFBK6B
- https://lists.fedoraproject.org/archives/list/[email protected]/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE
- https://lists.fedoraproject.org/archives/list/[email protected]/message/NVTWVQRB5OCCTMKEQFY5MYED3DXDVSLP
- https://security.netapp.com/advisory/ntap-20220429-0005
Blast Radius: 111.3
Affected Packages
maven:com.google.protobuf:protobuf-java
Dependent packages: 5,130Dependent repositories: 38,630
Downloads:
Affected Version Ranges: < 3.15.0
Fixed in: 3.15.0
All affected versions: 2.0.1, 2.0.3, 2.1.0, 2.2.0, 2.3.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 3.0.0, 3.0.2, 3.1.0, 3.2.0, 3.3.0, 3.3.1, 3.4.0, 3.5.0, 3.5.1, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 3.10.0, 3.11.0, 3.11.1, 3.11.3, 3.11.4, 3.12.0, 3.12.1, 3.12.2, 3.12.4, 3.13.0, 3.14.0
All unaffected versions: 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.15.4, 3.15.5, 3.15.6, 3.15.7, 3.15.8, 3.16.0, 3.16.1, 3.16.3, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.18.0, 3.18.1, 3.18.2, 3.18.3, 3.19.0, 3.19.1, 3.19.2, 3.19.3, 3.19.4, 3.19.5, 3.19.6, 3.20.0, 3.20.1, 3.20.2, 3.20.3, 3.21.0, 3.21.1, 3.21.2, 3.21.3, 3.21.4, 3.21.5, 3.21.6, 3.21.7, 3.21.8, 3.21.9, 3.21.10, 3.21.11, 3.21.12, 3.22.0, 3.22.1, 3.22.2, 3.22.3, 3.22.4, 3.22.5, 3.23.0, 3.23.1, 3.23.2, 3.23.3, 3.23.4, 3.24.0, 3.24.1, 3.24.2, 3.24.3, 3.24.4, 3.25.0, 3.25.1, 3.25.2, 3.25.3, 3.25.4, 3.25.5, 4.26.0, 4.26.1, 4.27.0, 4.27.1, 4.27.2, 4.27.3, 4.27.4, 4.27.5, 4.28.0, 4.28.1, 4.28.2, 4.28.3, 4.29.0, 4.29.1, 4.29.2, 4.29.3
pypi:protobuf
Dependent packages: 3,080Dependent repositories: 107,822
Downloads: 253,375,983 last month
Affected Version Ranges: < 3.15.0
Fixed in: 3.15.0
All affected versions: 2.0.3, 2.3.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 3.0.0, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 3.10.0, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.12.0, 3.12.1, 3.12.2, 3.12.4, 3.13.0, 3.14.0
All unaffected versions: 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.15.4, 3.15.5, 3.15.6, 3.15.7, 3.15.8, 3.16.0, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.18.0, 3.18.1, 3.18.3, 3.19.0, 3.19.1, 3.19.2, 3.19.3, 3.19.4, 3.19.5, 3.19.6, 3.20.0, 3.20.1, 3.20.2, 3.20.3, 4.21.0, 4.21.1, 4.21.2, 4.21.3, 4.21.4, 4.21.5, 4.21.6, 4.21.7, 4.21.8, 4.21.9, 4.21.10, 4.21.11, 4.21.12, 4.22.0, 4.22.1, 4.22.3, 4.22.4, 4.22.5, 4.23.0, 4.23.1, 4.23.2, 4.23.3, 4.23.4, 4.24.0, 4.24.1, 4.24.2, 4.24.3, 4.24.4, 4.25.0, 4.25.1, 4.25.2, 4.25.3, 4.25.4, 4.25.5, 5.26.0, 5.26.1, 5.27.0, 5.27.1, 5.27.2, 5.27.3, 5.27.4, 5.27.5, 5.28.0, 5.28.1, 5.28.2, 5.28.3, 5.29.0, 5.29.1, 5.29.2, 5.29.3
go:github.com/protocolbuffers/protobuf
Dependent packages: 5Dependent repositories: 68
Downloads:
Affected Version Ranges: < 3.15.0
Fixed in: 3.15.0
All affected versions: 2.4.1, 2.5.0, 2.6.0, 2.6.1, 3.0.0, 3.0.2, 3.1.0, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 3.10.0, 3.10.1, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.13.0, 3.14.0
All unaffected versions: 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.15.4, 3.15.5, 3.15.6, 3.15.7, 3.15.8, 3.16.0, 3.16.1, 3.16.2, 3.16.3, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.18.0, 3.18.1, 3.18.2, 3.18.3, 3.19.0, 3.19.1, 3.19.2, 3.19.3, 3.19.4, 3.19.5, 3.19.6, 3.20.0, 3.20.1, 3.20.2, 3.20.3, 3.21.0, 3.21.1, 3.21.2, 3.21.3, 3.21.4, 3.21.5, 3.21.6, 3.21.7, 3.21.8, 3.21.9, 3.21.10, 3.21.11, 3.21.12, 3.22.0, 3.22.1, 3.22.2, 3.22.3, 3.22.4, 3.22.5, 3.23.0, 3.23.1, 3.23.2, 3.23.3, 3.23.4, 3.24.0, 3.24.1, 3.24.2, 3.24.3, 3.24.4, 3.25.0, 3.25.1, 3.25.2, 3.25.3, 3.25.4, 3.25.5, 3.26.0, 3.26.1, 3.27.0, 3.27.1, 3.27.2, 3.27.3, 3.27.4, 3.27.5, 3.28.0, 3.28.1, 3.28.2, 3.28.3, 3.29.0, 3.29.1, 3.29.2, 3.29.3, 4.22.0, 4.22.1, 4.22.2, 4.22.3, 4.22.4, 4.22.5, 4.23.0, 4.23.1, 4.23.2, 4.23.3, 4.23.4, 4.24.0, 4.24.1, 4.24.2, 4.24.3, 4.24.4, 4.25.0, 4.25.1, 4.25.2, 4.25.3, 4.25.4, 4.25.5, 5.26.0, 5.26.1, 5.27.0, 5.27.1, 5.27.2, 5.27.3, 5.27.4, 5.27.5, 5.28.0, 5.28.1, 5.28.2, 5.28.3, 5.29.0, 5.29.1, 5.29.2, 5.29.3
packagist:google/protobuf
Dependent packages: 298Dependent repositories: 1,794
Downloads: 82,973,820 total
Affected Version Ranges: < 3.15.0
Fixed in: 3.15.0
All affected versions: 3.3.0, 3.3.1, 3.3.2, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 3.10.0, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.12.0, 3.12.1, 3.12.2, 3.12.4, 3.13.0, 3.14.0
All unaffected versions: 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.15.4, 3.15.5, 3.15.6, 3.15.7, 3.15.8, 3.16.0, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.18.0, 3.18.1, 3.18.2, 3.18.3, 3.19.0, 3.19.1, 3.19.2, 3.19.3, 3.19.4, 3.19.5, 3.19.6, 3.20.0, 3.20.1, 3.20.2, 3.20.3, 3.21.0, 3.21.1, 3.21.2, 3.21.3, 3.21.4, 3.21.5, 3.21.6, 3.21.7, 3.21.8, 3.21.9, 3.21.10, 3.21.11, 3.21.12, 3.22.0, 3.22.1, 3.22.2, 3.22.3, 3.22.4, 3.22.5, 3.23.0, 3.23.1, 3.23.2, 3.23.3, 3.23.4, 3.24.0, 3.24.1, 3.24.2, 3.24.3, 3.24.4, 3.25.0, 3.25.1, 3.25.2, 3.25.3, 3.25.4, 3.25.5, 4.26.0, 4.26.1, 4.27.0, 4.27.1, 4.27.2, 4.27.3, 4.27.4, 4.27.5, 4.28.0, 4.28.1, 4.28.2, 4.28.3, 4.29.0, 4.29.1, 4.29.2, 4.29.3
nuget:Google.Protobuf
Dependent packages: 986Dependent repositories: 0
Downloads: 606,074,376 total
Affected Version Ranges: < 3.15.0
Fixed in: 3.15.0
All affected versions: 3.0.0, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, 3.6.1, 3.7.0, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 3.10.0, 3.10.1, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.13.0, 3.14.0
All unaffected versions: 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.15.4, 3.15.5, 3.15.6, 3.15.7, 3.15.8, 3.16.0, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.18.0, 3.18.1, 3.18.2, 3.18.3, 3.19.0, 3.19.1, 3.19.2, 3.19.3, 3.19.4, 3.19.5, 3.19.6, 3.20.0, 3.20.1, 3.20.2, 3.20.3, 3.21.0, 3.21.1, 3.21.2, 3.21.3, 3.21.4, 3.21.5, 3.21.6, 3.21.7, 3.21.8, 3.21.9, 3.21.10, 3.21.11, 3.21.12, 3.22.0, 3.22.1, 3.22.3, 3.22.4, 3.22.5, 3.23.0, 3.23.1, 3.23.2, 3.23.3, 3.23.4, 3.24.0, 3.24.1, 3.24.2, 3.24.3, 3.24.4, 3.25.0, 3.25.1, 3.25.2, 3.25.3, 3.25.4, 3.25.5, 3.26.0, 3.26.1, 3.27.0, 3.27.1, 3.27.2, 3.27.3, 3.27.4, 3.27.5, 3.28.0, 3.28.1, 3.28.2, 3.28.3, 3.29.0, 3.29.1, 3.29.2, 3.29.3