CVE-2021-22569

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-22569
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22569.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-22569
Aliases
Downstream
Related
Published
2022-01-10T14:10:16.747Z
Modified
2026-03-14T08:24:20.528287Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

References

Affected packages

Git / github.com/protocolbuffers/protobuf

Affected ranges

Type
GIT
Repo
https://github.com/protocolbuffers/protobuf
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
cb46755e6405e083b45481f5ea4754b180705529
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
791a4355c365bd92720160671a7491be168055cb
Introduced
89b14b1d16eba4d44af43256fc45b24a6a348557
Fixed
6c6b0778b70f35f93c2f0dee30e5d12ad2a83eea
Introduced
17b30e96476be70b8773b2b807bab857fd3ceb39
Fixed
cb46755e6405e083b45481f5ea4754b180705529
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
6c6b0778b70f35f93c2f0dee30e5d12ad2a83eea
Introduced
17b30e96476be70b8773b2b807bab857fd3ceb39
Fixed
cb46755e6405e083b45481f5ea4754b180705529
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
b464cfbee18c71c40e761a5273ad369f3547294b
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
7062d0a2d0075d5e7d5c294fd3984df67a976da3
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.19.2"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "3.16.1"
        },
        {
            "introduced": "3.18.0"
        },
        {
            "fixed": "3.18.2"
        },
        {
            "introduced": "3.19.0"
        },
        {
            "fixed": "3.19.2"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "3.18.2"
        },
        {
            "introduced": "3.19.0"
        },
        {
            "fixed": "3.19.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "19c"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "21c"
        }
    ]
}

Affected versions

v3.*
v3.18.0
v3.18.1
v3.19.0
v3.19.0-rc1
v3.19.0-rc2
v3.19.1

Database specific

unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "1.9.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "1.15.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "1.15.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "1.15.0"
            }
        ]
    }
]
vanir_signatures 
[
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2021-22569-007a6f1a",
        "target": {
            "file": "src/google/protobuf/source_context.pb.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "328459828297406866746685094975132074155",
                "320482912142515080020906968928056412245",
                "94902428441466243207974400648954766131",
                "139512282090018918949412744829553419206"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2021-22569-0c6a5439",
        "target": {
            "file": "src/google/protobuf/any.pb.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "328459828297406866746685094975132074155",
                "320482912142515080020906968928056412245",
                "94902428441466243207974400648954766131",
                "139512282090018918949412744829553419206"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2021-22569-297c786b",
        "target": {
            "file": "src/google/protobuf/compiler/plugin.pb.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "328459828297406866746685094975132074155",
                "320482912142515080020906968928056412245",
                "94902428441466243207974400648954766131",
                "139512282090018918949412744829553419206"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2021-22569-2ad1978c",
        "target": {
            "file": "src/google/protobuf/field_mask.pb.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "328459828297406866746685094975132074155",
                "320482912142515080020906968928056412245",
                "94902428441466243207974400648954766131",
                "139512282090018918949412744829553419206"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2021-22569-74dbca6c",
        "target": {
            "file": "src/google/protobuf/type.pb.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "328459828297406866746685094975132074155",
                "320482912142515080020906968928056412245",
                "94902428441466243207974400648954766131",
                "139512282090018918949412744829553419206"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2021-22569-7d3abc12",
        "target": {
            "file": "src/google/protobuf/descriptor.pb.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "328459828297406866746685094975132074155",
                "320482912142515080020906968928056412245",
                "94902428441466243207974400648954766131",
                "139512282090018918949412744829553419206"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2021-22569-a55a1d2a",
        "target": {
            "file": "src/google/protobuf/wrappers.pb.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "328459828297406866746685094975132074155",
                "320482912142515080020906968928056412245",
                "94902428441466243207974400648954766131",
                "139512282090018918949412744829553419206"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2021-22569-cbf5b140",
        "target": {
            "file": "src/google/protobuf/timestamp.pb.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "328459828297406866746685094975132074155",
                "320482912142515080020906968928056412245",
                "94902428441466243207974400648954766131",
                "139512282090018918949412744829553419206"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2021-22569-d147c29a",
        "target": {
            "file": "src/google/protobuf/api.pb.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "328459828297406866746685094975132074155",
                "320482912142515080020906968928056412245",
                "94902428441466243207974400648954766131",
                "139512282090018918949412744829553419206"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2021-22569-dec320e6",
        "target": {
            "file": "src/google/protobuf/empty.pb.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "328459828297406866746685094975132074155",
                "320482912142515080020906968928056412245",
                "94902428441466243207974400648954766131",
                "139512282090018918949412744829553419206"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2021-22569-f87ca39e",
        "target": {
            "file": "src/google/protobuf/duration.pb.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "328459828297406866746685094975132074155",
                "320482912142515080020906968928056412245",
                "94902428441466243207974400648954766131",
                "139512282090018918949412744829553419206"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2021-22569-ff862195",
        "target": {
            "file": "src/google/protobuf/struct.pb.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "328459828297406866746685094975132074155",
                "320482912142515080020906968928056412245",
                "94902428441466243207974400648954766131",
                "139512282090018918949412744829553419206"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/protocolbuffers/protobuf/commit/791a4355c365bd92720160671a7491be168055cb"
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22569.json"