CVE-2022-3171

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Link	Resource
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202301-09	Third Party Advisory

Configuration 1

cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:* cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:* cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:* cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:* cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:* cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:* cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:* cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:* cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:* cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:* cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:* cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:* cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:* cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:* cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:* cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:* cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:* cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:* cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:* cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:* cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

---

Published : 2022-10-12 11:15

Updated : 2023-02-21 05:32

---

NVD link : CVE-2022-3171

Mitre link : CVE-2022-3171

No products.

NVD-CWE-noinfo