CVE-2022-1941
Published on: Not Yet Published
Last Modified on: 12/18/2022 04:15:00 AM UTC
Certain versions of Protobuf-cpp from Google contain the following vulnerability:
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
- CVE-2022-1941 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity.
CVSS3 Score: 7.5 - HIGH
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | NONE | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | NONE | NONE | HIGH |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
oss-security - CVE-2022-1941: Protobuf C++, Python DoS | www.openwall.com text/html |
![]() |
A potential Denial of Service issue in protobuf-cpp and protobuf-python · Advisory · protocolbuffers/protobuf · GitHub | github.com text/html |
![]() |
Security Bulletins | Customer Care | Google Cloud | cloud.google.com text/html |
![]() |
[SECURITY] Fedora 37 Update: protobuf-3.19.6-1.fc37 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
![]() |
Related QID Numbers
- 283528 Fedora Security Update for protobuf (FEDORA-2022-25f35ed634)
- 377910 Oracle MySQL Connectors 8.0.x Denial of Service (DoS) Vulnerability (CPUJAN2023)
- 672489 EulerOS Security Update for protobuf (EulerOS-SA-2023-1019)
- 672498 EulerOS Security Update for protobuf (EulerOS-SA-2023-1044)
- 691034 Free Berkeley Software Distribution (FreeBSD) Security Update for mysql (dc49f6dc-99d2-11ed-86e9-d4c9ef517024)
- 752777 SUSE Enterprise Linux Security Update for protobuf (SUSE-SU-2022:3922-1)
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Protobuf-cpp | All | All | All | All | |
Application | Protobuf-python | All | All | All | All |
- cpe:2.3:a:google:protobuf-cpp:*:*:*:*:*:*:*:*:
- cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:*:
Discovery Credit
CluterFuzz - https://google.github.io/clusterfuzz/
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
CVE-2022-1941 : A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and includ… twitter.com/i/web/status/1… | 2022-09-22 14:55:29 |
![]() |
New vulnerability on the NVD: CVE-2022-1941 ift.tt/B1TYSw4 | 2022-09-22 16:16:49 |
![]() |
New vulnerability on the NVD: CVE-2022-1941 ift.tt/p0LaS3g | 2022-09-22 16:33:23 |
![]() |
New vulnerability on the NVD: CVE-2022-1941 ift.tt/4brMRkV | 2022-09-22 16:40:11 |
![]() |
CVE-2022-1941 ift.tt/bXoEQ8J | 2022-09-22 16:52:31 |
![]() |
Python - CVE-2022-1941: cloud.google.com/support/bullet… | 2022-09-22 17:01:13 |
![]() |
CVE-2022-1941 | 2022-09-22 15:38:21 |