Vulnerabilites related to google - protobuf-python
CVE-2022-1941 (GCVE-0-2022-1941)
Vulnerability from cvelistv5
Published
2022-09-22 00:00
Modified
2024-08-03 00:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1286 - Improper Validation of Syntactic Correctness of Input
Summary
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Google LLC | protobuf-cpp |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:google:protobuf-cpp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "protobuf-cpp",
"vendor": "google",
"versions": [
{
"lessThan": "3.18.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.19.5",
"status": "affected",
"version": "3.19.0",
"versionType": "custom"
},
{
"lessThan": "3.20.2",
"status": "affected",
"version": "3.20.0",
"versionType": "custom"
},
{
"lessThan": "3.21.6",
"status": "affected",
"version": "3.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "protobuf-python",
"vendor": "google",
"versions": [
{
"lessThan": "3.18.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.19.5",
"status": "affected",
"version": "3.19.0",
"versionType": "custom"
},
{
"lessThan": "3.20.2",
"status": "affected",
"version": "3.20.0",
"versionType": "custom"
},
{
"lessThan": "4.21.6",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-1941",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-16T19:20:47.222552Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T19:36:06.065Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:42.594Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cloud.google.com/support/bulletins#GCP-2022-019"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf"
},
{
"name": "[oss-security] 20220927 CVE-2022-1941: Protobuf C++, Python DoS",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/27/1"
},
{
"name": "FEDORA-2022-25f35ed634",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/"
},
{
"name": "[debian-lts-announce] 20230418 [SECURITY] [DLA 3393-1] protobuf security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"
},
{
"name": "FEDORA-2022-15729fa33d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240705-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "protobuf-cpp",
"vendor": "Google LLC",
"versions": [
{
"lessThanOrEqual": "3.16.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.17.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.18.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.19.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.20.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.21.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "protobuf-python",
"vendor": "Google LLC",
"versions": [
{
"lessThanOrEqual": "3.16.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.17.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.18.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.19.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.20.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.21.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "CluterFuzz - https://google.github.io/clusterfuzz/"
}
],
"descriptions": [
{
"lang": "en",
"value": "A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated."
}
],
"metrics": [
{
"other": {
"content": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1286",
"description": "CWE-1286: Improper Validation of Syntactic Correctness of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T16:05:57.237168",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://cloud.google.com/support/bulletins#GCP-2022-019"
},
{
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf"
},
{
"name": "[oss-security] 20220927 CVE-2022-1941: Protobuf C++, Python DoS",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/27/1"
},
{
"name": "FEDORA-2022-25f35ed634",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/"
},
{
"name": "[debian-lts-announce] 20230418 [SECURITY] [DLA 3393-1] protobuf security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"
},
{
"name": "FEDORA-2022-15729fa33d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240705-0001/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Out of Memory issue in ProtocolBuffers for cpp and python",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2022-1941",
"datePublished": "2022-09-22T00:00:00",
"dateReserved": "2022-05-30T00:00:00",
"dateUpdated": "2024-08-03T00:24:42.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4565 (GCVE-0-2025-4565)
Vulnerability from cvelistv5
Published
2025-06-16 14:50
Modified
2025-06-16 15:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-674 - Uncontrolled Recursion
Summary
Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | protocolbuffers | Python-Protobuf |
Version: 0 ≤ Version: 0 ≤ Version: 0 ≤ |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-16T15:38:57.654894Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T15:39:18.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/protocolbuffers/protobuf/",
"defaultStatus": "unaffected",
"packageName": "protobuf",
"product": "Python-Protobuf",
"programFiles": [
"python/google/protobuf/internal/decoder.py"
],
"repo": "https://github.com/protocolbuffers/protobuf/",
"vendor": "protocolbuffers",
"versions": [
{
"lessThan": "4.25.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "5.29.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.31.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pypi.org/project/protobuf/",
"defaultStatus": "unaffected",
"product": "Python-Protobuf",
"repo": "https://pypi.org/project/protobuf/",
"vendor": "protocolbuffers",
"versions": [
{
"lessThan": "4.25.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "5.29.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.31.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alexis Challande - Trail of Bits Ecosystem Security Team"
}
],
"datePublic": "2025-05-12T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAny project that uses \u003c/span\u003e\u003cstrong\u003eProtobuf Pure-Python backend\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;to parse untrusted Protocol Buffers data containing an arbitrary number of recursive \u003c/span\u003e\u003ccode\u003egroup\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003es, recursive \u003c/span\u003e\u003ccode\u003emessage\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003es or a series of \u003c/span\u003e\u003ccode\u003eSGROUP\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =\u0026gt;6.31.1 or beyond commit\u0026nbsp;17838beda2943d08b8a9d4df5b68f5f04f26d901\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Any project that uses Protobuf Pure-Python backend\u00a0to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP\u00a0tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =\u003e6.31.1 or beyond commit\u00a017838beda2943d08b8a9d4df5b68f5f04f26d901"
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T14:50:40.906Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded recursion in Python Protobuf",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2025-4565",
"datePublished": "2025-06-16T14:50:40.906Z",
"dateReserved": "2025-05-12T05:48:12.941Z",
"dateUpdated": "2025-06-16T15:39:18.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2025-06-16 15:15
Modified
2025-08-14 17:05
Severity ?
Summary
Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| protobuf-python | * | ||
| protobuf-python | * | ||
| protobuf-python | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9CE770F3-A719-45B8-83F5-3AAC15F92BAB",
"versionEndExcluding": "4.25.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4665132F-1171-4C9B-929C-A17B18C48346",
"versionEndExcluding": "5.29.5",
"versionStartIncluding": "5.26.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4DE9676C-D5FF-4775-95B6-254BBE420757",
"versionEndExcluding": "6.31.1",
"versionStartIncluding": "6.30.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Any project that uses Protobuf Pure-Python backend\u00a0to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP\u00a0tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =\u003e6.31.1 or beyond commit\u00a017838beda2943d08b8a9d4df5b68f5f04f26d901"
},
{
"lang": "es",
"value": "Cualquier proyecto que utilice el backend Protobuf Pure-Python para analizar datos de Protocol Buffers no confiables que contengan un n\u00famero arbitrario de grupos recursivos, mensajes recursivos o una serie de etiquetas SGROUP puede corromperse al exceder el l\u00edmite de recursi\u00f3n de Python. Esto puede provocar una denegaci\u00f3n de servicio (DSP) que bloquea la aplicaci\u00f3n con un RecursionError. Recomendamos actualizar a la versi\u00f3n 6.31.1 o posterior (commit 17838beda2943d08b8a9d4df5b68f5f04f26d901)."
}
],
"id": "CVE-2025-4565",
"lastModified": "2025-08-14T17:05:37.770",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "cve-coordination@google.com",
"type": "Secondary"
}
]
},
"published": "2025-06-16T15:15:24.990",
"references": [
{
"source": "cve-coordination@google.com",
"tags": [
"Patch"
],
"url": "https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901"
}
],
"sourceIdentifier": "cve-coordination@google.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-674"
}
],
"source": "cve-coordination@google.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-22 15:15
Modified
2024-11-21 06:41
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve-coordination@google.com | http://www.openwall.com/lists/oss-security/2022/09/27/1 | Mailing List, Third Party Advisory | |
| cve-coordination@google.com | https://cloud.google.com/support/bulletins#GCP-2022-019 | Third Party Advisory | |
| cve-coordination@google.com | https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf | Third Party Advisory | |
| cve-coordination@google.com | https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html | Mailing List | |
| cve-coordination@google.com | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/ | ||
| cve-coordination@google.com | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/ | ||
| cve-coordination@google.com | https://security.netapp.com/advisory/ntap-20240705-0001/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/09/27/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cloud.google.com/support/bulletins#GCP-2022-019 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20240705-0001/ |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| protobuf-cpp | * | ||
| protobuf-cpp | * | ||
| protobuf-cpp | * | ||
| protobuf-cpp | * | ||
| protobuf-python | * | ||
| protobuf-python | * | ||
| protobuf-python | * | ||
| protobuf-python | * | ||
| fedoraproject | fedora | 36 | |
| fedoraproject | fedora | 37 | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:google:protobuf-cpp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3A836785-66BB-421D-83DC-01AC558E7EB8",
"versionEndExcluding": "3.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-cpp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A2CE47F2-1804-4931-9DC9-A725DD3E2706",
"versionEndExcluding": "3.19.5",
"versionStartIncluding": "3.19.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-cpp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4BA60969-22F7-4A4A-9053-EEEC7EA6F5D9",
"versionEndExcluding": "3.20.2",
"versionStartIncluding": "3.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-cpp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "91BCDB1F-CBA9-4045-938F-E695AD4655B0",
"versionEndExcluding": "3.21.6",
"versionStartIncluding": "3.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5F35B30A-9AFA-4CFB-A28A-19ADED42D5DD",
"versionEndExcluding": "3.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A719BA3-DC20-4ADA-9F90-5F695609752A",
"versionEndExcluding": "3.19.5",
"versionStartIncluding": "3.19.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B6C38B17-4211-438B-A01B-6967D30DB08E",
"versionEndExcluding": "3.20.2",
"versionStartIncluding": "3.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:*",
"matchCriteriaId": "046EB3D9-94B5-434C-A14F-6EE26F26091E",
"versionEndExcluding": "4.21.6",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
"matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
"matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated."
},
{
"lang": "es",
"value": "Una vulnerabilidad de an\u00e1lisis de tipo MessageSet en ProtocolBuffers versiones anteriores a 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 y 3.21.5 para protobuf-cpp, y las versiones anteriores a la 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 y 4.21.5 para protobuf-python, entre otras, puede conllevar a fallos de memoria. Un mensaje especialmente dise\u00f1ado con m\u00faltiples elementos clave-valor por crea problemas de an\u00e1lisis, y puede conllevar a una denegaci\u00f3n de servicio contra los servicios que reciban entradas no saneadas. Es recomendado actualizar a versiones 3.18.3, 3.19.5, 3.20.2, 3.21.6 para protobuf-cpp y 3.18.3, 3.19.5, 3.20.2, 4.21.6 para protobuf-python. Las versiones para 3.16 y 3.17 ya no son actualizadas"
}
],
"id": "CVE-2022-1941",
"lastModified": "2024-11-21T06:41:47.920",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-09-22T15:15:09.203",
"references": [
{
"source": "cve-coordination@google.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/27/1"
},
{
"source": "cve-coordination@google.com",
"tags": [
"Third Party Advisory"
],
"url": "https://cloud.google.com/support/bulletins#GCP-2022-019"
},
{
"source": "cve-coordination@google.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf"
},
{
"source": "cve-coordination@google.com",
"tags": [
"Mailing List"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"
},
{
"source": "cve-coordination@google.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/"
},
{
"source": "cve-coordination@google.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/"
},
{
"source": "cve-coordination@google.com",
"url": "https://security.netapp.com/advisory/ntap-20240705-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/27/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://cloud.google.com/support/bulletins#GCP-2022-019"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240705-0001/"
}
],
"sourceIdentifier": "cve-coordination@google.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1286"
}
],
"source": "cve-coordination@google.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}