CVE-2022-3171
MEDIUM5.7EPSS 0.11%protobuf-java has a potential Denial of Service issue
發布日:2022/10/4修改日:2026/4/28
描述
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
受影響套件(6)
- Debian/protobuffrom 0
- Maven/com.google.protobuf:protobuf-java>= 3.21.0-rc-1, < 3.21.7
- Maven/com.google.protobuf:protobuf-javalite>= 3.21.0-rc-1, < 3.21.7
- Maven/com.google.protobuf:protobuf-kotlin>= 3.21.0-rc-1, < 3.21.7
- Maven/com.google.protobuf:protobuf-kotlin-lite>= 3.21.0-rc-1, < 3.21.7
- RubyGems/google-protobuf>= 3.21.0.rc.1, < 3.21.7
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.7 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
參考連結(13)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-3171
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-3171
- PATCHhttps://github.com/protocolbuffers/protobuf
- WEBhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771
- WEBhttps://github.com/protocolbuffers/protobuf/releases/tag/v21.7
- WEBhttps://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3
- WEBhttps://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6
- WEBhttps://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3
- WEBhttps://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2022-3171.yml
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP
- WEBhttps://security.gentoo.org/glsa/202301-09