CVE-2022-1941

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-1941
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-1941.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-1941
Aliases
Downstream
Related
Published
2022-09-22T15:15:09.203Z
Modified
2026-02-04T21:35:21.411930Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

References

Affected packages

Git / github.com/protocolbuffers/protobuf

Affected ranges

Type
GIT
Repo
https://github.com/protocolbuffers/protobuf
Events
Introduced
7062d0a2d0075d5e7d5c294fd3984df67a976da3
Fixed
24487dd1045c7f3d64a21f38a3f0c06cc4cf2edb
Introduced
bc799d78f81115940eec953e2937245c70e3e6e4
Fixed
a20c65f2cd549445fda907f7b83894c8eb7427d6
Fixed
a902b39270841beafc307dfa709610aa1cac2f06
Introduced
17b30e96476be70b8773b2b807bab857fd3ceb39
Fixed
b464cfbee18c71c40e761a5273ad369f3547294b

Affected versions

v21.*
v21.0
v21.1
v21.2
v21.3
v21.4
v21.5
v3.*
v3.21.0
v3.21.1
v3.21.2
v3.21.3
v3.21.4
v3.21.5

Database specific

vanir_signatures 
[
    {
        "deprecated": false,
        "source": "https://github.com/protocolbuffers/protobuf/commit/24487dd1045c7f3d64a21f38a3f0c06cc4cf2edb",
        "id": "CVE-2022-1941-0f527957",
        "target": {
            "file": "src/google/protobuf/duration.pb.h"
        },
        "digest": {
            "line_hashes": [
                "153926112890941523864860940857322357160",
                "289567205693198179886075926256830408437",
                "146191563495415598666003706080146287964",
                "82847680890546882463891229857875315122"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "source": "https://github.com/protocolbuffers/protobuf/commit/24487dd1045c7f3d64a21f38a3f0c06cc4cf2edb",
        "id": "CVE-2022-1941-32965c2b",
        "target": {
            "file": "src/google/protobuf/any.pb.h"
        },
        "digest": {
            "line_hashes": [
                "153926112890941523864860940857322357160",
                "289567205693198179886075926256830408437",
                "146191563495415598666003706080146287964",
                "82847680890546882463891229857875315122"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "source": "https://github.com/protocolbuffers/protobuf/commit/24487dd1045c7f3d64a21f38a3f0c06cc4cf2edb",
        "id": "CVE-2022-1941-3fea45ab",
        "target": {
            "file": "src/google/protobuf/wrappers.pb.h"
        },
        "digest": {
            "line_hashes": [
                "153926112890941523864860940857322357160",
                "289567205693198179886075926256830408437",
                "146191563495415598666003706080146287964",
                "82847680890546882463891229857875315122"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "source": "https://github.com/protocolbuffers/protobuf/commit/24487dd1045c7f3d64a21f38a3f0c06cc4cf2edb",
        "id": "CVE-2022-1941-4c0a2ccc",
        "target": {
            "file": "src/google/protobuf/empty.pb.h"
        },
        "digest": {
            "line_hashes": [
                "153926112890941523864860940857322357160",
                "289567205693198179886075926256830408437",
                "146191563495415598666003706080146287964",
                "82847680890546882463891229857875315122"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "source": "https://github.com/protocolbuffers/protobuf/commit/24487dd1045c7f3d64a21f38a3f0c06cc4cf2edb",
        "id": "CVE-2022-1941-622f07a8",
        "target": {
            "file": "src/google/protobuf/compiler/plugin.pb.h"
        },
        "digest": {
            "line_hashes": [
                "153926112890941523864860940857322357160",
                "289567205693198179886075926256830408437",
                "146191563495415598666003706080146287964",
                "82847680890546882463891229857875315122"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "source": "https://github.com/protocolbuffers/protobuf/commit/24487dd1045c7f3d64a21f38a3f0c06cc4cf2edb",
        "id": "CVE-2022-1941-713864cf",
        "target": {
            "file": "src/google/protobuf/field_mask.pb.h"
        },
        "digest": {
            "line_hashes": [
                "153926112890941523864860940857322357160",
                "289567205693198179886075926256830408437",
                "146191563495415598666003706080146287964",
                "82847680890546882463891229857875315122"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "source": "https://github.com/protocolbuffers/protobuf/commit/24487dd1045c7f3d64a21f38a3f0c06cc4cf2edb",
        "id": "CVE-2022-1941-94fa56e7",
        "target": {
            "file": "src/google/protobuf/descriptor.pb.h"
        },
        "digest": {
            "line_hashes": [
                "153926112890941523864860940857322357160",
                "289567205693198179886075926256830408437",
                "146191563495415598666003706080146287964",
                "82847680890546882463891229857875315122"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "source": "https://github.com/protocolbuffers/protobuf/commit/24487dd1045c7f3d64a21f38a3f0c06cc4cf2edb",
        "id": "CVE-2022-1941-9fa4dbe9",
        "target": {
            "file": "src/google/protobuf/timestamp.pb.h"
        },
        "digest": {
            "line_hashes": [
                "153926112890941523864860940857322357160",
                "289567205693198179886075926256830408437",
                "146191563495415598666003706080146287964",
                "82847680890546882463891229857875315122"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "source": "https://github.com/protocolbuffers/protobuf/commit/24487dd1045c7f3d64a21f38a3f0c06cc4cf2edb",
        "id": "CVE-2022-1941-b84f9c2e",
        "target": {
            "file": "src/google/protobuf/struct.pb.h"
        },
        "digest": {
            "line_hashes": [
                "153926112890941523864860940857322357160",
                "289567205693198179886075926256830408437",
                "146191563495415598666003706080146287964",
                "82847680890546882463891229857875315122"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "source": "https://github.com/protocolbuffers/protobuf/commit/24487dd1045c7f3d64a21f38a3f0c06cc4cf2edb",
        "id": "CVE-2022-1941-d51c80ab",
        "target": {
            "file": "src/google/protobuf/type.pb.h"
        },
        "digest": {
            "line_hashes": [
                "153926112890941523864860940857322357160",
                "289567205693198179886075926256830408437",
                "146191563495415598666003706080146287964",
                "82847680890546882463891229857875315122"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "source": "https://github.com/protocolbuffers/protobuf/commit/24487dd1045c7f3d64a21f38a3f0c06cc4cf2edb",
        "id": "CVE-2022-1941-df0f7015",
        "target": {
            "file": "src/google/protobuf/source_context.pb.h"
        },
        "digest": {
            "line_hashes": [
                "153926112890941523864860940857322357160",
                "289567205693198179886075926256830408437",
                "146191563495415598666003706080146287964",
                "82847680890546882463891229857875315122"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "source": "https://github.com/protocolbuffers/protobuf/commit/24487dd1045c7f3d64a21f38a3f0c06cc4cf2edb",
        "id": "CVE-2022-1941-fcf8c8ea",
        "target": {
            "file": "src/google/protobuf/api.pb.h"
        },
        "digest": {
            "line_hashes": [
                "153926112890941523864860940857322357160",
                "289567205693198179886075926256830408437",
                "146191563495415598666003706080146287964",
                "82847680890546882463891229857875315122"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-1941.json"