GHSA-8r3f-844c-mc37

Source

https://github.com/advisories/GHSA-8r3f-844c-mc37

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-8r3f-844c-mc37/GHSA-8r3f-844c-mc37.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8r3f-844c-mc37

Aliases

Related

Published

2024-03-06T00:31:27Z

Modified

2024-11-07T19:19:40Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON

Details

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

References

Affected packages

Go / google.golang.org/protobuf

Package

Name: google.golang.org/protobuf; View open source insights on deps.dev
Purl: pkg:golang/google.golang.org/protobuf

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.33.0

Go / google.golang.org/protobuf/encoding/protojson

Package

Name: google.golang.org/protobuf/encoding/protojson; View open source insights on deps.dev
Purl: pkg:golang/google.golang.org/protobuf/encoding/protojson

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.33.0

Go / google.golang.org/protobuf/internal/encoding/json

Package

Name: google.golang.org/protobuf/internal/encoding/json; View open source insights on deps.dev
Purl: pkg:golang/google.golang.org/protobuf/internal/encoding/json

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.33.0