CVE-2022-3510 - OpenCVE

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Google	Protobuf-javalite Protobuf-java

Configuration 1 [-]

OR	cpe:2.3:a:google:protobuf-java::::::::
	cpe:2.3:a:google:protobuf-java::::::::
	cpe:2.3:a:google:protobuf-java::::::::
	cpe:2.3:a:google:protobuf-java::::::::
	cpe:2.3:a:google:protobuf-javalite::::::::
	cpe:2.3:a:google:protobuf-javalite::::::::
	cpe:2.3:a:google:protobuf-javalite::::::::
	cpe:2.3:a:google:protobuf-javalite::::::::

References

Link	Resource
https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Google

Published: 2022-11-11T16:35:20.765Z

Updated: 2022-12-12T12:11:04.548862Z

Reserved: 2022-10-14T13:53:33.104Z

Link: CVE-2022-3510

JSON object: View

NVD Information

Status : Modified

Published: 2022-12-12T13:15:14.670

Modified: 2023-11-07T03:51:20.923

Link: CVE-2022-3510

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2022-3510", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "requesterUserId": "0482d1dc-86d9-41dd-bdd2-3f4c4834e1b3", "dateReserved": "2022-10-14T13:53:33.104Z", "datePublished": "2022-11-11T16:35:20.765Z", "dateUpdated": "2022-12-12T12:11:04.548862Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["all"], "product": "ProtocolBuffers", "repo": "https://github.com/protocolbuffers/protobuf/", "vendor": "Google", "versions": [{"lessThan": "3.21.7", "status": "affected", "version": "3.21.0", "versionType": "semver"}, {"lessThan": "3.20.3", "status": "affected", "version": "3.20.0", "versionType": "semver"}, {"lessThan": "3.19.6", "status": "affected", "version": "3.19.0", "versionType": "semver"}, {"lessThan": "3.16.3", "status": "affected", "version": "3.16.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.</p>"}], "value": "A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2022-12-12T12:11:04.548862Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48"}], "source": {"discovery": "INTERNAL"}, "title": "Parsing issue in protobuf message-type extension", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB303B67-87A7-43AC-8A8B-B037C2D06B3F", "versionEndExcluding": "3.16.3", "versionStartIncluding": "3.16.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*", "matchCriteriaId": "3C2D62DC-0F66-4A30-B9FE-EA6199E60538", "versionEndExcluding": "3.19.6", "versionStartIncluding": "3.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*", "matchCriteriaId": "56CA1E8D-A555-4F4F-80D8-F23D0DC50BB8", "versionEndExcluding": "3.20.3", "versionStartIncluding": "3.20.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*", "matchCriteriaId": "E82CFAC2-2F65-45FD-88D9-D42145FC4A4F", "versionEndExcluding": "3.21.7", "versionStartIncluding": "3.21.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*", "matchCriteriaId": "63C927E5-FAB2-4F2E-8F28-EC3CC160837C", "versionEndExcluding": "3.16.3", "versionStartIncluding": "3.16.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*", "matchCriteriaId": "2B4050D4-2224-467C-B46D-2CD734B3B0FB", "versionEndExcluding": "3.19.6", "versionStartIncluding": "3.17.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*", "matchCriteriaId": "459A8615-D2ED-49F3-A81C-DC4560D96C93", "versionEndExcluding": "3.20.3", "versionStartIncluding": "3.20.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*", "matchCriteriaId": "712693B9-41AB-41D1-97B2-560FDFEE0863", "versionEndExcluding": "3.21.7", "versionStartIncluding": "3.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.\n\n"}, {"lang": "es", "value": "Un problema de an\u00e1lisis similar a CVE-2022-3171, pero con extensiones de tipo de mensaje en las versiones protobuf-java core y lite anteriores a 3.21.7, 3.20.3, 3.19.6 y 3.16.3 puede provocar un ataque de Denegaci\u00f3n de Servicio (DoS). . Las entradas que contienen m\u00faltiples instancias de mensajes incrustados no repetidos con campos repetidos o desconocidos hacen que los objetos se conviertan de un lado a otro entre formas mutables e inmutables, lo que resulta en pausas de recolecci\u00f3n de basura potencialmente largas. Recomendamos actualizar a las versiones mencionadas anteriormente."}], "id": "CVE-2022-3510", "lastModified": "2023-11-07T03:51:20.923", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2022-12-12T13:15:14.670", "references": [{"source": "cve-coordination@google.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}