GHSA-735f-pc8j-v9w8

Suggest an improvement
Source
https://github.com/advisories/GHSA-735f-pc8j-v9w8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-735f-pc8j-v9w8
Aliases
Related
Published
2024-09-19T16:06:03Z
Modified
2024-09-23T20:24:56.305529Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
protobuf-java has potential Denial of Service issue
Details

Summary

When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team ecosystem@trailofbits.com

Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.

Severity

CVE-2024-7254 High CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication) This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Proof of Concept

For reproduction details, please refer to the unit tests (Protobuf Java LiteTest and CodedInputStreamTest) that identify the specific inputs that exercise this parsing weakness.

Remediation and Mitigation

We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages: * protobuf-java (3.25.5, 4.27.5, 4.28.2) * protobuf-javalite (3.25.5, 4.27.5, 4.28.2) * protobuf-kotlin (3.25.5, 4.27.5, 4.28.2) * protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2) * com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)

Database specific
{
    "nvd_published_at": "2024-09-19T01:15:10Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-19T16:06:03Z"
}
References

Affected packages

Maven / com.google.protobuf:protobuf-java

Package

Name
com.google.protobuf:protobuf-java
View open source insights on deps.dev
Purl
pkg:maven/com.google.protobuf/protobuf-java

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.25.5

Affected versions

2.*

2.0.1
2.0.3
2.1.0
2.2.0
2.3.0
2.4.0a
2.4.1
2.5.0
2.6.0
2.6.1

3.*

3.0.0-alpha-2
3.0.0-alpha-3
3.0.0-alpha-3.1
3.0.0-beta-1
3.0.0-beta-2
3.0.0-beta-3
3.0.0-beta-4
3.0.0
3.0.2
3.1.0
3.2.0rc2
3.2.0-rc.1
3.2.0
3.3.0
3.3.1
3.4.0
3.5.0
3.5.1
3.6.0
3.6.1
3.7.0-rc1
3.7.0
3.7.1
3.8.0-rc-1
3.8.0
3.9.0-rc-1
3.9.0
3.9.1
3.9.2
3.10.0-rc-1
3.10.0
3.11.0-rc-1
3.11.0-rc-2
3.11.0
3.11.1
3.11.3
3.11.4
3.12.0-rc-1
3.12.0-rc-2
3.12.0
3.12.1
3.12.2
3.12.4
3.13.0-rc-3
3.13.0
3.14.0-rc-1
3.14.0-rc-2
3.14.0-rc-3
3.14.0
3.15.0-rc-1
3.15.0-rc-2
3.15.0
3.15.1
3.15.2
3.15.3
3.15.4
3.15.5
3.15.6
3.15.7
3.15.8
3.16.0-rc-1
3.16.0-rc-2
3.16.0
3.16.1
3.16.3
3.17.0-rc-1
3.17.0-rc-2
3.17.0
3.17.1
3.17.2
3.17.3
3.18.0-rc-1
3.18.0-rc-2
3.18.0
3.18.1
3.18.2
3.18.3
3.19.0-rc-1
3.19.0-rc-2
3.19.0
3.19.1
3.19.2
3.19.3
3.19.4
3.19.5
3.19.6
3.20.0-rc-1
3.20.0
3.20.1-rc-1
3.20.1
3.20.2
3.20.3
3.21.0-rc-1
3.21.0-rc-2
3.21.0
3.21.1
3.21.2
3.21.3
3.21.4
3.21.5
3.21.6
3.21.7
3.21.8
3.21.9
3.21.10
3.21.11
3.21.12
3.22.0-RC1
3.22.0-RC3
3.22.0
3.22.1
3.22.2
3.22.3
3.22.4
3.22.5
3.23.0-RC2
3.23.0-RC3
3.23.0
3.23.1
3.23.2
3.23.3
3.23.4
3.24.0-RC1
3.24.0-RC2
3.24.0-RC3
3.24.0
3.24.1
3.24.2
3.24.3
3.24.4
3.25.0-RC1
3.25.0-RC2
3.25.0
3.25.1
3.25.2
3.25.3
3.25.4

Maven / com.google.protobuf:protobuf-javalite

Package

Name
com.google.protobuf:protobuf-javalite
View open source insights on deps.dev
Purl
pkg:maven/com.google.protobuf/protobuf-javalite

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.25.5

Affected versions

3.*

3.8.0-rc-1
3.8.0
3.9.0-rc-1
3.9.0
3.9.1
3.9.2
3.10.0-rc-1
3.10.0
3.11.0-rc-1
3.11.0-rc-2
3.11.0
3.11.1
3.11.3
3.11.4
3.12.0-rc-1
3.12.0-rc-2
3.12.0
3.12.1
3.12.2
3.12.4
3.13.0-rc-3
3.13.0
3.14.0-rc-1
3.14.0-rc-2
3.14.0-rc-3
3.14.0
3.15.0-rc-1
3.15.0-rc-2
3.15.0
3.15.1
3.15.2
3.15.3
3.15.4
3.15.5
3.15.6
3.15.7
3.15.8
3.16.0-rc-1
3.16.0-rc-2
3.16.0
3.16.1
3.16.3
3.17.0-rc-1
3.17.0-rc-2
3.17.0
3.17.1
3.17.2
3.17.3
3.18.0-rc-1
3.18.0-rc-2
3.18.0
3.18.1
3.18.2
3.18.3
3.19.0-rc-1
3.19.0-rc-2
3.19.0
3.19.1
3.19.2
3.19.3
3.19.4
3.19.5
3.19.6
3.20.0-rc-1
3.20.0
3.20.1-rc-1
3.20.1
3.20.2
3.20.3
3.21.0-rc-1
3.21.0-rc-2
3.21.0
3.21.1
3.21.2
3.21.3
3.21.4
3.21.5
3.21.6
3.21.7
3.21.8
3.21.9
3.21.10
3.21.11
3.21.12
3.22.0-RC1
3.22.0-RC3
3.22.0
3.22.1
3.22.2
3.22.3
3.22.4
3.22.5
3.23.0-RC2
3.23.0-RC3
3.23.0
3.23.1
3.23.2
3.23.3
3.23.4
3.24.0-RC1
3.24.0-RC2
3.24.0-RC3
3.24.0
3.24.1
3.24.2
3.24.3
3.24.4
3.25.0-RC1
3.25.0-RC2
3.25.0
3.25.1
3.25.2
3.25.3
3.25.4

Maven / com.google.protobuf:protobuf-kotlin

Package

Name
com.google.protobuf:protobuf-kotlin
View open source insights on deps.dev
Purl
pkg:maven/com.google.protobuf/protobuf-kotlin

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.25.5

Affected versions

3.*

3.17.0-rc-2
3.17.0
3.17.1
3.17.2
3.17.3
3.18.0-rc-1
3.18.0-rc-2
3.18.0
3.18.1
3.18.2
3.18.3
3.19.0-rc-1
3.19.0-rc-2
3.19.0
3.19.1
3.19.2
3.19.3
3.19.4
3.19.5
3.19.6
3.20.0-rc-1
3.20.0
3.20.1-rc-1
3.20.1
3.20.2
3.20.3
3.21.0-rc-1
3.21.0-rc-2
3.21.0
3.21.1
3.21.2
3.21.3
3.21.4
3.21.5
3.21.6
3.21.7
3.21.8
3.21.9
3.21.10
3.21.11
3.21.12
3.22.0-RC1
3.22.0-RC3
3.22.0
3.22.1
3.22.2
3.22.3
3.22.4
3.22.5
3.23.0-RC2
3.23.0-RC3
3.23.0
3.23.1
3.23.2
3.23.3
3.23.4
3.24.0-RC1
3.24.0-RC2
3.24.0-RC3
3.24.0
3.24.1
3.24.2
3.24.3
3.24.4
3.25.0-RC1
3.25.0-RC2
3.25.0
3.25.1
3.25.2
3.25.3
3.25.4

Maven / com.google.protobuf:protobuf-kotlin-lite

Package

Name
com.google.protobuf:protobuf-kotlin-lite
View open source insights on deps.dev
Purl
pkg:maven/com.google.protobuf/protobuf-kotlin-lite

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.25.5

Affected versions

3.*

3.17.0-rc-2
3.17.0
3.17.1
3.17.2
3.17.3
3.18.0-rc-1
3.18.0-rc-2
3.18.0
3.18.1
3.18.2
3.18.3
3.19.0-rc-1
3.19.0-rc-2
3.19.0
3.19.1
3.19.2
3.19.3
3.19.4
3.19.5
3.19.6
3.20.0-rc-1
3.20.0
3.20.1-rc-1
3.20.1
3.20.2
3.20.3
3.21.0-rc-1
3.21.0-rc-2
3.21.0
3.21.1
3.21.2
3.21.3
3.21.4
3.21.5
3.21.6
3.21.7
3.21.8
3.21.9
3.21.10
3.21.11
3.21.12
3.22.0-RC1
3.22.0-RC3
3.22.0
3.22.1
3.22.2
3.22.3
3.22.4
3.22.5
3.23.0-RC2
3.23.0-RC3
3.23.0
3.23.1
3.23.2
3.23.3
3.23.4
3.24.0-RC1
3.24.0-RC2
3.24.0-RC3
3.24.0
3.24.1
3.24.2
3.24.3
3.24.4
3.25.0-RC1
3.25.0-RC2
3.25.0
3.25.1
3.25.2
3.25.3
3.25.4

RubyGems / google-protobuf

Package

Name
google-protobuf
Purl
pkg:gem/google-protobuf

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.25.5

Affected versions

3.*

3.0.0.alpha.1.0
3.0.0.alpha.1.1
3.0.0.alpha.2.0
3.0.0.alpha.3
3.0.0.alpha.3.1.pre
3.0.0.alpha.4.0
3.0.0.alpha.5.0.3
3.0.0.alpha.5.0.4
3.0.0.alpha.5.0.5
3.0.0.alpha.5.0.5.1
3.0.0
3.0.2
3.1.0.0.pre
3.1.0
3.2.0
3.2.0.1
3.2.0.2
3.2.1.pre
3.3.0
3.4.0.1
3.4.0.2
3.4.1.1
3.5.0.pre
3.5.0
3.5.1
3.5.1.1
3.5.1.2
3.6.0
3.6.1
3.7.0.rc.2
3.7.0.rc.3
3.7.0
3.7.1
3.8.0.rc.1
3.8.0
3.9.0.rc.1
3.9.0
3.9.1
3.9.2
3.10.0.rc.1
3.10.1
3.11.0.rc.1
3.11.0.rc.2
3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.12.0.rc.1
3.12.0.rc.2
3.12.0
3.12.1
3.12.2
3.12.4
3.13.0.rc.3
3.13.0
3.14.0.rc.1
3.14.0.rc.2
3.14.0.rc.3
3.14.0
3.15.0.rc.1
3.15.0.rc.2
3.15.0
3.15.1
3.15.2
3.15.3
3.15.4
3.15.5
3.15.6
3.15.7
3.15.8
3.16.0.rc.1
3.16.0.rc.2
3.16.0
3.17.0.rc.1
3.17.0.rc.2
3.17.0
3.17.1
3.17.2
3.17.3
3.18.0.rc.1
3.18.0.rc.2
3.18.0
3.18.1
3.18.2
3.18.3
3.19.0.rc.1
3.19.0.rc.2
3.19.0
3.19.1
3.19.2
3.19.3
3.19.4
3.19.5
3.19.6
3.20.0.rc.1
3.20.0.rc.2
3.20.0
3.20.1.rc.1
3.20.1
3.20.2
3.20.3
3.21.0.rc.1
3.21.0.rc.2
3.21.0
3.21.1
3.21.2
3.21.3
3.21.4
3.21.5
3.21.6
3.21.7
3.21.8
3.21.9
3.21.10
3.21.11
3.21.12
3.22.0.rc.2
3.22.0.rc.3
3.22.0
3.22.1
3.22.2
3.22.3
3.22.5
3.23.0.rc.1
3.23.0.rc.2
3.23.0.rc.3
3.23.0
3.23.1
3.23.2
3.23.3
3.23.4
3.24.0.rc.2
3.24.0.rc.3
3.24.0
3.24.1
3.24.2
3.24.3
3.24.4
3.25.0.rc.1
3.25.0.rc.2
3.25.0
3.25.1
3.25.2
3.25.3
3.25.4

RubyGems / google-protobuf

Package

Name
google-protobuf
Purl
pkg:gem/google-protobuf

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0.rc.1
Fixed
4.27.5

Affected versions

4.*

4.26.0.rc.1
4.26.0.rc.2
4.26.0.rc.3
4.26.0
4.26.1
4.27.0.rc.1
4.27.0.rc.2
4.27.0.rc.3
4.27.0
4.27.1
4.27.2
4.27.3
4.27.4

RubyGems / google-protobuf

Package

Name
google-protobuf
Purl
pkg:gem/google-protobuf

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.28.0.rc.1
Fixed
4.28.2

Affected versions

4.*

4.28.0.rc.1
4.28.0.rc.2
4.28.0.rc.3
4.28.0
4.28.1

Maven / com.google.protobuf:protobuf-kotlin-lite

Package

Name
com.google.protobuf:protobuf-kotlin-lite
View open source insights on deps.dev
Purl
pkg:maven/com.google.protobuf/protobuf-kotlin-lite

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0.rc.1
Fixed
4.27.5

Affected versions

4.*

4.26.0-RC1
4.26.0-RC2
4.26.0-RC3
4.26.0
4.26.1
4.27.0-RC1
4.27.0-RC2
4.27.0-RC3
4.27.0
4.27.1
4.27.2
4.27.3
4.27.4

Maven / com.google.protobuf:protobuf-kotlin-lite

Package

Name
com.google.protobuf:protobuf-kotlin-lite
View open source insights on deps.dev
Purl
pkg:maven/com.google.protobuf/protobuf-kotlin-lite

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.28.0.rc.1
Fixed
4.28.2

Affected versions

4.*

4.28.0
4.28.1

Maven / com.google.protobuf:protobuf-kotlin

Package

Name
com.google.protobuf:protobuf-kotlin
View open source insights on deps.dev
Purl
pkg:maven/com.google.protobuf/protobuf-kotlin

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0.rc.1
Fixed
4.27.5

Affected versions

4.*

4.26.0-RC1
4.26.0-RC2
4.26.0-RC3
4.26.0
4.26.1
4.27.0-RC1
4.27.0-RC2
4.27.0-RC3
4.27.0
4.27.1
4.27.2
4.27.3
4.27.4

Maven / com.google.protobuf:protobuf-kotlin

Package

Name
com.google.protobuf:protobuf-kotlin
View open source insights on deps.dev
Purl
pkg:maven/com.google.protobuf/protobuf-kotlin

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.28.0.rc.1
Fixed
4.28.2

Affected versions

4.*

4.28.0
4.28.1

Maven / com.google.protobuf:protobuf-javalite

Package

Name
com.google.protobuf:protobuf-javalite
View open source insights on deps.dev
Purl
pkg:maven/com.google.protobuf/protobuf-javalite

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0.rc.1
Fixed
4.27.5

Affected versions

4.*

4.26.0-RC1
4.26.0-RC2
4.26.0-RC3
4.26.0
4.26.1
4.27.0-RC1
4.27.0-RC2
4.27.0-RC3
4.27.0
4.27.1
4.27.2
4.27.3
4.27.4

Maven / com.google.protobuf:protobuf-javalite

Package

Name
com.google.protobuf:protobuf-javalite
View open source insights on deps.dev
Purl
pkg:maven/com.google.protobuf/protobuf-javalite

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.28.0.rc.1
Fixed
4.28.2

Affected versions

4.*

4.28.0
4.28.1

Maven / com.google.protobuf:protobuf-java

Package

Name
com.google.protobuf:protobuf-java
View open source insights on deps.dev
Purl
pkg:maven/com.google.protobuf/protobuf-java

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0.rc.1
Fixed
4.27.5

Affected versions

4.*

4.26.0-RC1
4.26.0-RC2
4.26.0-RC3
4.26.0
4.26.1
4.27.0-RC1
4.27.0-RC2
4.27.0-RC3
4.27.0
4.27.1
4.27.2
4.27.3
4.27.4

Maven / com.google.protobuf:protobuf-java

Package

Name
com.google.protobuf:protobuf-java
View open source insights on deps.dev
Purl
pkg:maven/com.google.protobuf/protobuf-java

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.28.0.rc.1
Fixed
4.28.2

Affected versions

4.*

4.28.0
4.28.1