Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for protobuf-kotlin by google

    CVE-2024-7254 (GCVE-0-2024-7254)

    Vulnerability from nvd – Published: 2024-09-19 00:18 – Updated: 2025-09-08 09:37
    VLAI
    Title
    Stack overflow in Protocol Buffers Java Lite
    Summary
    Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-674 - Uncontrolled Recursion
    Assigner
    Impacted products
    Vendor Product Version
    Google Protocol Buffers Affected: 0 , < 28.2 (custom)
    Create a notification for this product.
    Google protobuf-java Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    Google protobuf-javalite Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    Google protobuf-kotlin Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    Google protobuf-kotllin-lite Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    Google google-protobuf [JRuby Gem] Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    google protobuf Affected: 0 , < 28.2 (custom)
        cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*
    Create a notification for this product.
    google protobuf-kotlin-lite Affected: 0 , < 3.25.5 (custom)
    Affected: 4.27 , < 4.27.5 (custom)
    Affected: 4.28 , < 4.28.2 (custom)
        cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*
        cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*
        cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*
        cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*
        cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Alexis Challande, Trail of Bits Ecosystem Security Team <ecosystem@trailofbits.com>
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "protobuf",
                "vendor": "google",
                "versions": [
                  {
                    "lessThan": "28.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*",
                  "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
                  "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*",
                  "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*",
                  "cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "protobuf-kotlin-lite",
                "vendor": "google",
                "versions": [
                  {
                    "lessThan": "3.25.5",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "4.27.5",
                    "status": "affected",
                    "version": "4.27",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "4.28.2",
                    "status": "affected",
                    "version": "4.28",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7254",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-19T14:29:43.468555Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-19T14:46:14.517Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-04-19T00:11:07.841Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20241213-0010/"
              },
              {
                "url": "https://security.netapp.com/advisory/ntap-20250418-0006/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Protocol Buffers",
              "repo": "https://github.com/protocolbuffers/protobuf",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "collectionURL": "https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java",
              "defaultStatus": "unaffected",
              "product": "protobuf-java",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "protobuf-javalite",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "protobuf-kotlin",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "protobuf-kotllin-lite",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "collectionURL": "https://rubygems.org/gems/google-protobuf",
              "defaultStatus": "unaffected",
              "product": "google-protobuf [JRuby Gem]",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Alexis Challande, Trail of Bits Ecosystem Security Team \u003cecosystem@trailofbits.com\u003e"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAny project that parses untrusted Protocol Buffers data\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;containing an arbitrary number of nested \u003c/span\u003e\u003ccode\u003egroup\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003es / series of \u003c/span\u003e\u003ccode\u003eSGROUP\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;tags can corrupted by exceeding the stack limit i.e. StackOverflow. \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eParsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Any project that parses untrusted Protocol Buffers data\u00a0containing an arbitrary number of nested groups / series of SGROUP\u00a0tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-674",
                  "description": "CWE-674 Uncontrolled Recursion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-08T09:37:53.702Z",
            "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
            "shortName": "Google"
          },
          "references": [
            {
              "url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Stack overflow in Protocol Buffers Java Lite",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "assignerShortName": "Google",
        "cveId": "CVE-2024-7254",
        "datePublished": "2024-09-19T00:18:45.824Z",
        "dateReserved": "2024-07-29T21:41:56.116Z",
        "dateUpdated": "2025-09-08T09:37:53.702Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3171 (GCVE-0-2022-3171)

    Vulnerability from nvd – Published: 2022-10-12 00:00 – Updated: 2025-04-21 13:47
    VLAI
    Title
    Memory handling vulnerability in ProtocolBuffers Java core and lite
    Summary
    A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    Google LLC Protocolbuffers Affected: 3.21.7 , < 3.21.7 (custom)
    Affected: 3.20.3 , < 3.20.3 (custom)
    Affected: 3.19.6 , < 3.19.6 (custom)
    Affected: 3.16.3 , < 3.16.3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.773Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
              },
              {
                "name": "FEDORA-2022-25f35ed634",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/"
              },
              {
                "name": "GLSA-202301-09",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202301-09"
              },
              {
                "name": "FEDORA-2022-15729fa33d",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-3171",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-21T13:36:41.564407Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-21T13:47:57.569Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "core and lite"
              ],
              "product": "Protocolbuffers",
              "vendor": "Google LLC",
              "versions": [
                {
                  "lessThan": "3.21.7",
                  "status": "affected",
                  "version": "3.21.7",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.20.3",
                  "status": "affected",
                  "version": "3.20.3",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.19.6",
                  "status": "affected",
                  "version": "3.19.6",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.16.3",
                  "status": "affected",
                  "version": "3.16.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-27T00:00:00.000Z",
            "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
            "shortName": "Google"
          },
          "references": [
            {
              "url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
            },
            {
              "name": "FEDORA-2022-25f35ed634",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/"
            },
            {
              "name": "GLSA-202301-09",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202301-09"
            },
            {
              "name": "FEDORA-2022-15729fa33d",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Memory handling vulnerability in ProtocolBuffers Java core and lite",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "assignerShortName": "Google",
        "cveId": "CVE-2022-3171",
        "datePublished": "2022-10-12T00:00:00.000Z",
        "dateReserved": "2022-09-09T00:00:00.000Z",
        "dateUpdated": "2025-04-21T13:47:57.569Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-22569 (GCVE-0-2021-22569)

    Vulnerability from nvd – Published: 2022-01-07 00:00 – Updated: 2025-04-21 13:57
    VLAI
    Title
    Denial of Service of protobuf-java parsing procedure
    Summary
    An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-696 - Incorrect Behavior Order
    Assigner
    Impacted products
    Vendor Product Version
    Google LLC protobuf-java Affected: unspecified , < 3.16.1 (custom)
    Affected: unspecified , < 3.18.2 (custom)
    Affected: unspecified , < 3.19.2 (custom)
    Create a notification for this product.
    Google LLC protobuf-kotlin Affected: unspecified , < 3.18.2 (custom)
    Affected: unspecified , < 3.19.2 (custom)
    Create a notification for this product.
    Google LLC google-protobuf [JRuby Gem] Affected: unspecified , < 3.19.2 (custom)
    Create a notification for this product.
    Credits
    OSS-Fuzz - https://github.com/google/oss-fuzz
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:44:14.144Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cloud.google.com/support/bulletins#gcp-2022-001"
              },
              {
                "name": "[oss-security] 20220112 CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/12/4"
              },
              {
                "name": "[oss-security] 20220112 Re: CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/12/7"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "name": "[debian-lts-announce] 20230418 [SECURITY] [DLA 3393-1] protobuf security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-22569",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-21T13:40:37.923955Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-21T13:57:08.444Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "protobuf-java",
              "vendor": "Google LLC",
              "versions": [
                {
                  "lessThan": "3.16.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.18.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.19.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "protobuf-kotlin",
              "vendor": "Google LLC",
              "versions": [
                {
                  "lessThan": "3.18.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.19.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "google-protobuf [JRuby Gem]",
              "vendor": "Google LLC",
              "versions": [
                {
                  "lessThan": "3.19.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "OSS-Fuzz - https://github.com/google/oss-fuzz"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-696",
                  "description": "CWE-696 Incorrect Behavior Order",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-18T00:00:00.000Z",
            "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
            "shortName": "Google"
          },
          "references": [
            {
              "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330"
            },
            {
              "url": "https://cloud.google.com/support/bulletins#gcp-2022-001"
            },
            {
              "name": "[oss-security] 20220112 CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/12/4"
            },
            {
              "name": "[oss-security] 20220112 Re: CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/12/7"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "[debian-lts-announce] 20230418 [SECURITY] [DLA 3393-1] protobuf security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Denial of Service of protobuf-java parsing procedure",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "assignerShortName": "Google",
        "cveId": "CVE-2021-22569",
        "datePublished": "2022-01-07T00:00:00.000Z",
        "dateReserved": "2021-01-05T00:00:00.000Z",
        "dateUpdated": "2025-04-21T13:57:08.444Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7254 (GCVE-0-2024-7254)

    Vulnerability from cvelistv5 – Published: 2024-09-19 00:18 – Updated: 2025-09-08 09:37
    VLAI
    Title
    Stack overflow in Protocol Buffers Java Lite
    Summary
    Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-674 - Uncontrolled Recursion
    Assigner
    Impacted products
    Vendor Product Version
    Google Protocol Buffers Affected: 0 , < 28.2 (custom)
    Create a notification for this product.
    Google protobuf-java Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    Google protobuf-javalite Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    Google protobuf-kotlin Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    Google protobuf-kotllin-lite Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    Google google-protobuf [JRuby Gem] Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    google protobuf Affected: 0 , < 28.2 (custom)
        cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*
    Create a notification for this product.
    google protobuf-kotlin-lite Affected: 0 , < 3.25.5 (custom)
    Affected: 4.27 , < 4.27.5 (custom)
    Affected: 4.28 , < 4.28.2 (custom)
        cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*
        cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*
        cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*
        cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*
        cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Alexis Challande, Trail of Bits Ecosystem Security Team <ecosystem@trailofbits.com>
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "protobuf",
                "vendor": "google",
                "versions": [
                  {
                    "lessThan": "28.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*",
                  "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
                  "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*",
                  "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*",
                  "cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "protobuf-kotlin-lite",
                "vendor": "google",
                "versions": [
                  {
                    "lessThan": "3.25.5",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "4.27.5",
                    "status": "affected",
                    "version": "4.27",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "4.28.2",
                    "status": "affected",
                    "version": "4.28",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7254",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-19T14:29:43.468555Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-19T14:46:14.517Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-04-19T00:11:07.841Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20241213-0010/"
              },
              {
                "url": "https://security.netapp.com/advisory/ntap-20250418-0006/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Protocol Buffers",
              "repo": "https://github.com/protocolbuffers/protobuf",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "collectionURL": "https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java",
              "defaultStatus": "unaffected",
              "product": "protobuf-java",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "protobuf-javalite",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "protobuf-kotlin",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "protobuf-kotllin-lite",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "collectionURL": "https://rubygems.org/gems/google-protobuf",
              "defaultStatus": "unaffected",
              "product": "google-protobuf [JRuby Gem]",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Alexis Challande, Trail of Bits Ecosystem Security Team \u003cecosystem@trailofbits.com\u003e"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAny project that parses untrusted Protocol Buffers data\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;containing an arbitrary number of nested \u003c/span\u003e\u003ccode\u003egroup\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003es / series of \u003c/span\u003e\u003ccode\u003eSGROUP\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;tags can corrupted by exceeding the stack limit i.e. StackOverflow. \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eParsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Any project that parses untrusted Protocol Buffers data\u00a0containing an arbitrary number of nested groups / series of SGROUP\u00a0tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-674",
                  "description": "CWE-674 Uncontrolled Recursion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-08T09:37:53.702Z",
            "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
            "shortName": "Google"
          },
          "references": [
            {
              "url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Stack overflow in Protocol Buffers Java Lite",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "assignerShortName": "Google",
        "cveId": "CVE-2024-7254",
        "datePublished": "2024-09-19T00:18:45.824Z",
        "dateReserved": "2024-07-29T21:41:56.116Z",
        "dateUpdated": "2025-09-08T09:37:53.702Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3171 (GCVE-0-2022-3171)

    Vulnerability from cvelistv5 – Published: 2022-10-12 00:00 – Updated: 2025-04-21 13:47
    VLAI
    Title
    Memory handling vulnerability in ProtocolBuffers Java core and lite
    Summary
    A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    Google LLC Protocolbuffers Affected: 3.21.7 , < 3.21.7 (custom)
    Affected: 3.20.3 , < 3.20.3 (custom)
    Affected: 3.19.6 , < 3.19.6 (custom)
    Affected: 3.16.3 , < 3.16.3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:00:10.773Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
              },
              {
                "name": "FEDORA-2022-25f35ed634",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/"
              },
              {
                "name": "GLSA-202301-09",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202301-09"
              },
              {
                "name": "FEDORA-2022-15729fa33d",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-3171",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-21T13:36:41.564407Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-21T13:47:57.569Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "core and lite"
              ],
              "product": "Protocolbuffers",
              "vendor": "Google LLC",
              "versions": [
                {
                  "lessThan": "3.21.7",
                  "status": "affected",
                  "version": "3.21.7",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.20.3",
                  "status": "affected",
                  "version": "3.20.3",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.19.6",
                  "status": "affected",
                  "version": "3.19.6",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.16.3",
                  "status": "affected",
                  "version": "3.16.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-27T00:00:00.000Z",
            "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
            "shortName": "Google"
          },
          "references": [
            {
              "url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
            },
            {
              "name": "FEDORA-2022-25f35ed634",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/"
            },
            {
              "name": "GLSA-202301-09",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202301-09"
            },
            {
              "name": "FEDORA-2022-15729fa33d",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Memory handling vulnerability in ProtocolBuffers Java core and lite",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "assignerShortName": "Google",
        "cveId": "CVE-2022-3171",
        "datePublished": "2022-10-12T00:00:00.000Z",
        "dateReserved": "2022-09-09T00:00:00.000Z",
        "dateUpdated": "2025-04-21T13:47:57.569Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-22569 (GCVE-0-2021-22569)

    Vulnerability from cvelistv5 – Published: 2022-01-07 00:00 – Updated: 2025-04-21 13:57
    VLAI
    Title
    Denial of Service of protobuf-java parsing procedure
    Summary
    An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-696 - Incorrect Behavior Order
    Assigner
    Impacted products
    Vendor Product Version
    Google LLC protobuf-java Affected: unspecified , < 3.16.1 (custom)
    Affected: unspecified , < 3.18.2 (custom)
    Affected: unspecified , < 3.19.2 (custom)
    Create a notification for this product.
    Google LLC protobuf-kotlin Affected: unspecified , < 3.18.2 (custom)
    Affected: unspecified , < 3.19.2 (custom)
    Create a notification for this product.
    Google LLC google-protobuf [JRuby Gem] Affected: unspecified , < 3.19.2 (custom)
    Create a notification for this product.
    Credits
    OSS-Fuzz - https://github.com/google/oss-fuzz
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:44:14.144Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cloud.google.com/support/bulletins#gcp-2022-001"
              },
              {
                "name": "[oss-security] 20220112 CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/12/4"
              },
              {
                "name": "[oss-security] 20220112 Re: CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/12/7"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "name": "[debian-lts-announce] 20230418 [SECURITY] [DLA 3393-1] protobuf security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-22569",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-21T13:40:37.923955Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-21T13:57:08.444Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "protobuf-java",
              "vendor": "Google LLC",
              "versions": [
                {
                  "lessThan": "3.16.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.18.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.19.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "protobuf-kotlin",
              "vendor": "Google LLC",
              "versions": [
                {
                  "lessThan": "3.18.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.19.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "google-protobuf [JRuby Gem]",
              "vendor": "Google LLC",
              "versions": [
                {
                  "lessThan": "3.19.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "OSS-Fuzz - https://github.com/google/oss-fuzz"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-696",
                  "description": "CWE-696 Incorrect Behavior Order",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-18T00:00:00.000Z",
            "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
            "shortName": "Google"
          },
          "references": [
            {
              "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330"
            },
            {
              "url": "https://cloud.google.com/support/bulletins#gcp-2022-001"
            },
            {
              "name": "[oss-security] 20220112 CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/12/4"
            },
            {
              "name": "[oss-security] 20220112 Re: CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/12/7"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "[debian-lts-announce] 20230418 [SECURITY] [DLA 3393-1] protobuf security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Denial of Service of protobuf-java parsing procedure",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "assignerShortName": "Google",
        "cveId": "CVE-2021-22569",
        "datePublished": "2022-01-07T00:00:00.000Z",
        "dateReserved": "2021-01-05T00:00:00.000Z",
        "dateUpdated": "2025-04-21T13:57:08.444Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }