{ "schema_version": "1.4.0", "id": "GHSA-8gq9-2x98-w8hf", "modified": "2024-07-05T21:23:56Z", "published": "2022-09-23T20:31:15Z", "aliases": [ "CVE-2022-1941" ], "summary": "protobuf-cpp and protobuf-python have potential Denial of Service issue", "details": "### Summary\n\nA message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message, which could lead to a denial of service (DoS) on services using the libraries.\n\nReporter: [ClusterFuzz](https://google.github.io/clusterfuzz/)\n\nAffected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below.\n\n### Severity & Impact\nAs scored by google \n**Medium 5.7** - [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) \nAsscored byt NIST \n**High 7.5** - [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\nA small (~500 KB) malicious payload can be constructed which causes the running service to allocate more than 3GB of RAM.\n\n### Proof of Concept\n\nFor reproduction details, please refer to the unit test that identifies the specific inputs that exercise this parsing weakness.\n\n### Mitigation / Patching\n\nPlease update to the latest available versions of the following packages:\n- protobuf-cpp (3.18.3, 3.19.5, 3.20.2, 3.21.6)\n- protobuf-python (3.18.3, 3.19.5, 3.20.2, 4.21.6)", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "affected": [ { "package": { "ecosystem": "PyPI", "name": "protobuf" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.18.3" } ] } ] }, { "package": { "ecosystem": "PyPI", "name": "protobuf" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.19.0" }, { "fixed": "3.19.5" } ] } ] }, { "package": { "ecosystem": "PyPI", "name": "protobuf" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.20.0" }, { "fixed": "3.20.2" } ] } ] }, { "package": { "ecosystem": "PyPI", "name": "protobuf" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.21.6" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1941" }, { "type": "WEB", "url": "https://cloud.google.com/support/bulletins#GCP-2022-019" }, { "type": "PACKAGE", "url": "https://github.com/protocolbuffers/protobuf" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240705-0001" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/09/27/1" } ], "database_specific": { "cwe_ids": [ "CWE-119", "CWE-1286" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-09-23T20:31:15Z", "nvd_published_at": "2022-09-22T15:15:00Z" } }