A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
[
{
"id": "CVE-2022-3171-3c760779",
"target": {
"file": "src/google/protobuf/wrappers.pb.h"
},
"digest": {
"line_hashes": [
"14463844651962961940331438795809373578",
"214516298593296203942852467115320028386",
"261809066153928994664321823254706116376",
"307626444442344817117879599035219910274"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a",
"signature_type": "Line"
},
{
"id": "CVE-2022-3171-51960048",
"target": {
"file": "src/google/protobuf/descriptor.pb.h"
},
"digest": {
"line_hashes": [
"14463844651962961940331438795809373578",
"214516298593296203942852467115320028386",
"261809066153928994664321823254706116376",
"307626444442344817117879599035219910274"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a",
"signature_type": "Line"
},
{
"id": "CVE-2022-3171-610f4e97",
"target": {
"file": "src/google/protobuf/timestamp.pb.h"
},
"digest": {
"line_hashes": [
"14463844651962961940331438795809373578",
"214516298593296203942852467115320028386",
"261809066153928994664321823254706116376",
"307626444442344817117879599035219910274"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a",
"signature_type": "Line"
},
{
"id": "CVE-2022-3171-6bc36508",
"target": {
"file": "src/google/protobuf/api.pb.h"
},
"digest": {
"line_hashes": [
"14463844651962961940331438795809373578",
"214516298593296203942852467115320028386",
"261809066153928994664321823254706116376",
"307626444442344817117879599035219910274"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a",
"signature_type": "Line"
},
{
"id": "CVE-2022-3171-7b523458",
"target": {
"file": "src/google/protobuf/compiler/plugin.pb.h"
},
"digest": {
"line_hashes": [
"14463844651962961940331438795809373578",
"214516298593296203942852467115320028386",
"261809066153928994664321823254706116376",
"307626444442344817117879599035219910274"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a",
"signature_type": "Line"
},
{
"id": "CVE-2022-3171-892436e4",
"target": {
"file": "src/google/protobuf/type.pb.h"
},
"digest": {
"line_hashes": [
"14463844651962961940331438795809373578",
"214516298593296203942852467115320028386",
"261809066153928994664321823254706116376",
"307626444442344817117879599035219910274"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a",
"signature_type": "Line"
},
{
"id": "CVE-2022-3171-8c2e0192",
"target": {
"file": "src/google/protobuf/any.pb.h"
},
"digest": {
"line_hashes": [
"14463844651962961940331438795809373578",
"214516298593296203942852467115320028386",
"261809066153928994664321823254706116376",
"307626444442344817117879599035219910274"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a",
"signature_type": "Line"
},
{
"id": "CVE-2022-3171-b0f21209",
"target": {
"file": "src/google/protobuf/empty.pb.h"
},
"digest": {
"line_hashes": [
"14463844651962961940331438795809373578",
"214516298593296203942852467115320028386",
"261809066153928994664321823254706116376",
"307626444442344817117879599035219910274"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a",
"signature_type": "Line"
},
{
"id": "CVE-2022-3171-c1227f64",
"target": {
"file": "src/google/protobuf/duration.pb.h"
},
"digest": {
"line_hashes": [
"14463844651962961940331438795809373578",
"214516298593296203942852467115320028386",
"261809066153928994664321823254706116376",
"307626444442344817117879599035219910274"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a",
"signature_type": "Line"
},
{
"id": "CVE-2022-3171-d5e132eb",
"target": {
"file": "src/google/protobuf/field_mask.pb.h"
},
"digest": {
"line_hashes": [
"14463844651962961940331438795809373578",
"214516298593296203942852467115320028386",
"261809066153928994664321823254706116376",
"307626444442344817117879599035219910274"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a",
"signature_type": "Line"
},
{
"id": "CVE-2022-3171-ebeb0e90",
"target": {
"file": "src/google/protobuf/source_context.pb.h"
},
"digest": {
"line_hashes": [
"14463844651962961940331438795809373578",
"214516298593296203942852467115320028386",
"261809066153928994664321823254706116376",
"307626444442344817117879599035219910274"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a",
"signature_type": "Line"
},
{
"id": "CVE-2022-3171-fd9bc12e",
"target": {
"file": "src/google/protobuf/struct.pb.h"
},
"digest": {
"line_hashes": [
"14463844651962961940331438795809373578",
"214516298593296203942852467115320028386",
"261809066153928994664321823254706116376",
"307626444442344817117879599035219910274"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/protocolbuffers/protobuf/commit/b8c2488f480bbe3d66b9874c2fcd434201caa48a",
"signature_type": "Line"
}
]