GHSA-8gq9-2x98-w8hf

Suggest an improvement
Source
https://github.com/advisories/GHSA-8gq9-2x98-w8hf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-8gq9-2x98-w8hf/GHSA-8gq9-2x98-w8hf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8gq9-2x98-w8hf
Aliases
Published
2022-09-23T20:31:15Z
Modified
2024-07-05T22:04:21.661093Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
protobuf-cpp and protobuf-python have potential Denial of Service issue
Details

Summary

A message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message, which could lead to a denial of service (DoS) on services using the libraries.

Reporter: ClusterFuzz

Affected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below.

Severity & Impact

As scored by google
Medium 5.7 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Asscored byt NIST
High 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

A small (~500 KB) malicious payload can be constructed which causes the running service to allocate more than 3GB of RAM.

Proof of Concept

For reproduction details, please refer to the unit test that identifies the specific inputs that exercise this parsing weakness.

Mitigation / Patching

Please update to the latest available versions of the following packages: - protobuf-cpp (3.18.3, 3.19.5, 3.20.2, 3.21.6) - protobuf-python (3.18.3, 3.19.5, 3.20.2, 4.21.6)

References

Affected packages

PyPI / protobuf

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.18.3

Affected versions

2.*

2.0.0beta
2.0.3
2.3.0
2.4.1
2.5.0
2.6.0
2.6.1

3.*

3.0.0a2
3.0.0a3
3.0.0b1
3.0.0b1.post1
3.0.0b1.post2
3.0.0b2
3.0.0b2.post1
3.0.0b2.post2
3.0.0b3
3.0.0b4
3.0.0
3.1.0
3.1.0.post1
3.2.0rc1
3.2.0rc1.post1
3.2.0rc2
3.2.0
3.3.0
3.4.0
3.5.0.post1
3.5.1
3.5.2
3.5.2.post1
3.6.0
3.6.1
3.7.0rc2
3.7.0rc3
3.7.0
3.7.1
3.8.0rc1
3.8.0
3.9.0rc1
3.9.0
3.9.1
3.9.2
3.10.0rc1
3.10.0
3.11.0rc1
3.11.0rc2
3.11.0
3.11.1
3.11.2
3.11.3
3.12.0rc1
3.12.0rc2
3.12.0
3.12.1
3.12.2
3.12.4
3.13.0rc3
3.13.0
3.14.0rc1
3.14.0rc2
3.14.0rc3
3.14.0
3.15.0rc1
3.15.0rc2
3.15.0
3.15.1
3.15.2
3.15.3
3.15.4
3.15.5
3.15.6
3.15.7
3.15.8
3.16.0rc1
3.16.0rc2
3.16.0
3.17.0rc1
3.17.0rc2
3.17.0
3.17.1
3.17.2
3.17.3
3.18.0rc1
3.18.0rc2
3.18.0
3.18.1

PyPI / protobuf

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.19.0
Fixed
3.19.5

Affected versions

3.*

3.19.0
3.19.1
3.19.2
3.19.3
3.19.4

PyPI / protobuf

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.20.0
Fixed
3.20.2

Affected versions

3.*

3.20.0
3.20.1rc1
3.20.1

PyPI / protobuf

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.21.6

Affected versions

4.*

4.21.0rc1
4.21.0rc2
4.21.0
4.21.1
4.21.2
4.21.3
4.21.4
4.21.5