A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/3xxx/CVE-2022-3509.json",
"cna_assigner": "Google"
}{
"source": [
"CPE_RANGE",
"REFERENCES"
],
"extracted_events": [
{
"introduced": "3.16.0"
},
{
"fixed": "3.16.3"
},
{
"introduced": "3.19.0"
},
{
"fixed": "3.19.6"
},
{
"introduced": "3.20.0"
},
{
"fixed": "3.20.3"
},
{
"introduced": "3.21.0"
},
{
"fixed": "3.21.7"
},
{
"introduced": "3.17.0"
},
{
"fixed": "3.19.6"
}
],
"cpe": [
"cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
"cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*"
]
}