CVE-2022-1941

Published on: Not Yet Published

Last Modified on: 09/22/2022 04:16:00 PM UTC

CVE-2022-1941

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Certain versions of Protobuf-cpp from Google LLC contain the following vulnerability:

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

CVE-2022-1941 has been assigned by [email protected] to track the vulnerability

CVE References

Description	Tags ^ⓘ	Link
A potential Denial of Service issue in protobuf-cpp and protobuf-python · Advisory · protocolbuffers/protobuf · GitHub	github.com text/html	CONFIRM github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
Security Bulletins \| Customer Care \| Google Cloud	cloud.google.com text/html	CONFIRM cloud.google.com/support/bulletins#GCP-2022-019

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

There are currently no QIDs associated with this CVE

Known Affected Software

Vendor	Product	Version
Google LLC	protobuf-cpp	<= 3.16.1
Google LLC	protobuf-cpp	<= 3.17.3
Google LLC	protobuf-cpp	<= 3.18.2
Google LLC	protobuf-cpp	<= 3.19.4
Google LLC	protobuf-cpp	<= 3.20.1
Google LLC	protobuf-cpp	<= 3.21.5
Google LLC	protobuf-python	<= 3.16.1
Google LLC	protobuf-python	<= 3.17.3
Google LLC	protobuf-python	<= 3.18.2
Google LLC	protobuf-python	<= 3.19.4
Google LLC	protobuf-python	<= 3.20.1
Google LLC	protobuf-python	<= 4.21.5

Discovery Credit

CluterFuzz - https://google.github.io/clusterfuzz/

Social Mentions

Source	Title	Posted (UTC)
@CVEreport	CVE-2022-1941 : A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and includ… twitter.com/i/web/status/1…	2022-09-22 14:55:29
@JohnJasonFallow	New vulnerability on the NVD: CVE-2022-1941 ift.tt/B1TYSw4	2022-09-22 16:16:49
@doogsineerg	New vulnerability on the NVD: CVE-2022-1941 ift.tt/p0LaS3g	2022-09-22 16:33:23
@workentin	New vulnerability on the NVD: CVE-2022-1941 ift.tt/4brMRkV	2022-09-22 16:40:11
@xanadulinux	CVE-2022-1941 ift.tt/bXoEQ8J	2022-09-22 16:52:31
@LinInfoSec	Python - CVE-2022-1941: cloud.google.com/support/bullet…	2022-09-22 17:01:13
/r/netcve	CVE-2022-1941	2022-09-22 15:38:21