CVE-2024-7254

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-7254
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-7254.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-7254
Aliases
Related
Published
2024-09-19T01:15:10Z
Modified
2024-10-08T04:15:53.143259Z
Summary
[none]
Details

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

References

Affected packages

Debian:11 / protobuf

Package

Name
protobuf
Purl
pkg:deb/debian/protobuf?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.12.4-1
3.12.4-1+deb11u1
3.14.0-1
3.17.1-1
3.17.2-1
3.17.3-1
3.17.3-2
3.18.0~rc1-1
3.18.0~rc2-1
3.18.0-1
3.18.1-1
3.19.0-1
3.19.1-1
3.19.3-1
3.19.4-1
3.20.0~rc1-1
3.20.0~rc2-1
3.20.0-1
3.20.1~rc1-1
3.20.1-1
3.20.2-1
3.21.6-1
3.21.7-1
3.21.8-1
3.21.9-1
3.21.9-2
3.21.9-3
3.21.9-4
3.21.9-5
3.21.10-1
3.21.11-1
3.21.12-1
3.21.12-2
3.21.12-2+exp1
3.21.12-3
3.21.12-4
3.21.12-5
3.21.12-6
3.21.12-7
3.21.12-8
3.21.12-8.1
3.21.12-8.2
3.21.12-9
3.25.1-1
3.25.2-1
3.25.3-1
3.25.4-1

4.*

4.0.0~rc1-1
4.0.0~rc2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / protobuf

Package

Name
protobuf
Purl
pkg:deb/debian/protobuf?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.21.12-3
3.21.12-4
3.21.12-5
3.21.12-6
3.21.12-7
3.21.12-8
3.21.12-8.1
3.21.12-8.2
3.21.12-9
3.25.1-1
3.25.2-1
3.25.3-1
3.25.4-1

4.*

4.0.0~rc1-1
4.0.0~rc2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / protobuf

Package

Name
protobuf
Purl
pkg:deb/debian/protobuf?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.21.12-3
3.21.12-4
3.21.12-5
3.21.12-6
3.21.12-7
3.21.12-8
3.21.12-8.1
3.21.12-8.2
3.21.12-9
3.25.1-1
3.25.2-1
3.25.3-1
3.25.4-1

4.*

4.0.0~rc1-1
4.0.0~rc2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/protocolbuffers/protobuf

Affected ranges

Type
GIT
Repo
https://github.com/protocolbuffers/protobuf
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

3.*

3.15.0-rc1

Other

conformance-build-tag
v26-dev
v27-dev
v28-dev

v2.*

v2.4.1
v2.5.0
v2.6.0
v2.6.1
v2.6.1rc1

v21.*

v21.0
v21.0-rc1
v21.0-rc2
v21.1
v21.10
v21.11
v21.12
v21.2
v21.3
v21.4
v21.5
v21.6
v21.9

v22.*

v22.0
v22.0-rc1
v22.0-rc2
v22.0-rc3
v22.1
v22.2
v22.3

v23.*

v23.0
v23.0-rc1
v23.0-rc2
v23.0-rc3

v24.*

v24.0
v24.0-rc1
v24.0-rc2
v24.0-rc3

v25.*

v25.0
v25.0-rc1
v25.0-rc2

v3.*

v3.0.0
v3.0.0-alpha-1
v3.0.0-alpha-2
v3.0.0-alpha-3
v3.0.0-alpha-4
v3.0.0-beta-1
v3.0.0-beta-1-bzl-fix
v3.0.0-beta-2
v3.0.0-beta-3
v3.0.0-beta-3-pre-1
v3.0.0-beta-4
v3.0.2
v3.1.0
v3.1.0-alpha-1
v3.10.0
v3.10.0-rc1
v3.11.0
v3.11.0-rc1
v3.11.0-rc2
v3.11.1
v3.11.2
v3.11.3
v3.11.4
v3.12.0
v3.12.0-rc1
v3.12.0-rc2
v3.12.1
v3.12.2
v3.12.3
v3.13.0
v3.13.0-rc3
v3.13.0.1
v3.14.0
v3.14.0-rc1
v3.14.0-rc2
v3.14.0-rc3
v3.15.0
v3.15.0-rc1
v3.15.0-rc2
v3.15.1
v3.15.2
v3.15.3
v3.15.4
v3.15.5
v3.15.6
v3.15.7
v3.15.8
v3.16.0
v3.16.0-rc1
v3.16.0-rc2
v3.17.0
v3.17.0-rc1
v3.17.0-rc2
v3.17.1
v3.17.2
v3.17.3
v3.18.0
v3.18.0-rc1
v3.18.0-rc2
v3.18.1
v3.19.0
v3.19.0-rc1
v3.19.0-rc2
v3.19.1
v3.19.2
v3.19.3
v3.19.4
v3.20.0
v3.20.0-rc1
v3.20.0-rc2
v3.20.0-rc3
v3.20.1
v3.20.1-rc1
v3.21.0
v3.21.0-rc2
v3.21.1
v3.21.10
v3.21.11
v3.21.12
v3.21.2
v3.21.3
v3.21.4
v3.21.5
v3.21.6
v3.21.9
v3.22.0
v3.22.0-rc1
v3.22.0-rc2
v3.22.0-rc3
v3.22.1
v3.22.2
v3.22.3
v3.23.0
v3.23.0-rc1
v3.23.0-rc2
v3.23.0-rc3
v3.24.0
v3.24.0-rc1
v3.24.0-rc2
v3.24.0-rc3
v3.25.0
v3.25.0-rc1
v3.25.0-rc2
v3.3.0
v3.3.0rc1
v3.3.1
v3.3.2
v3.4.0
v3.4.0rc1
v3.4.0rc2
v3.4.0rc3
v3.4.1
v3.5.0
v3.5.0.1
v3.5.1
v3.5.2
v3.6.0
v3.6.0.1
v3.6.0rc1
v3.6.0rc2
v3.6.1
v3.7.0
v3.7.0-rc.2
v3.7.0-rc.3
v3.7.0rc1
v3.7.0rc2
v3.7.1
v3.8.0
v3.8.0-rc1
v3.9.0-rc1

v4.*

v4.22.0
v4.22.0-rc1
v4.22.0-rc2
v4.22.0-rc3
v4.22.1
v4.22.2
v4.22.3
v4.23.0
v4.23.0-rc1
v4.23.0-rc2
v4.23.0-rc3
v4.24.0
v4.24.0-rc1
v4.24.0-rc2
v4.24.0-rc3
v4.25.0
v4.25.0-rc1
v4.25.0-rc2