Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1qMnBjLXY2NHItbXY0Zs4ABOMt

Low CVSS: 1.0
Permalink JSON

Protobuf Maven Plugin protocDigest is ignored when using protoc from PATH

Affected Packages Affected Versions Fixed Versions
maven:io.github.ascopes:protobuf-maven-plugin < 3.10.2, >= 4.0.0, <= 4.0.1 3.10.2, 4.0.2
0 Dependent packages
0 Dependent repositories

Affected Version Ranges

All affected versions

0.0.1, 0.0.1-M1, 0.0.1-M2, 0.0.1-M3, 0.0.1-M4, 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.0-rc1, 1.2.1, 2.0.0, 2.0.0-alpha1, 2.0.0-alpha2, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.10.6, 2.11.0, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.8.0, 3.8.1, 3.8.2, 3.9.0, 3.9.1, 3.10.0, 3.10.1, 4.0.0-M1, 4.0.0-M2

All unaffected versions

3.10.2

Summary

The expected protocDigest is ignored when protoc is taken from the PATH.

Details

The documentation for the protocDigest parameter says:

... Users may wish to specify this if using a PATH-based binary ...

However, when specifying <protoc>PATH</protoc> the protocDigest is not actually checked because the code returns here already
https://github.com/ascopes/protobuf-maven-plugin/blob/59097aae8062c461129a13dcda2f4116b90a8765/protobuf-maven-plugin/src/main/java/io/github/ascopes/protobufmavenplugin/protoc/ProtocResolver.java#L91-L93

before the digest check:
https://github.com/ascopes/protobuf-maven-plugin/blob/59097aae8062c461129a13dcda2f4116b90a8765/protobuf-maven-plugin/src/main/java/io/github/ascopes/protobufmavenplugin/protoc/ProtocResolver.java#L106

PoC

Specify:

<protoc>PATH</protoc>
<protocDigest>sha256:0000000000000000000000000000000000000000000000000000000000000000</protocDigest>

And notice how the protoc on the PATH is not rejected, despite a digest mismatch.

Impact

Users who have an untrusted protoc executable on their PATH and rely <protocDigest> as protection are affected.

References:

Identifiers

GHSA-j2pc-v64r-mv4f

Risk

Severity

Low

CVSS

CVSS Score: 1.0

CVSS vector: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/ascopes/protobuf-maven-plugin

Date and time

Published

12 days ago

Updated

3 days ago

API

JSON