Skip to content

x/vulndb: potential Go vuln in github.com/protocolbuffers/protobuf: CVE-2022-1941 #1016

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
GoVulnBot opened this issue Sep 23, 2022 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/protocolbuffers/protobuf: CVE-2022-1941 #1016

GoVulnBot opened this issue Sep 23, 2022 · 1 comment
Assignees
@neild
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

CVE-2022-1941 references github.com/protocolbuffers/protobuf, which may be a Go module.

Description:
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

References:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/protocolbuffers/protobuf
    packages:
      - package: protobuf-cpp
description: |
    A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
cves:
  - CVE-2022-1941
credit: CluterFuzz - https://google.github.io/clusterfuzz/
references:
  - web: https://cloud.google.com/support/bulletins#GCP-2022-019
  - fix: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
@neild neild self-assigned this Sep 23, 2022
@neild neild added excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. and removed NeedsTriage labels Sep 23, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/433438 mentions this issue: data/excluded: add GO-2022-1016.yaml for CVE-2022-1941

@GoVulnBot GoVulnBot mentioned this issue May 3, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@neild @tatianab @gopherbot @GoVulnBot