CVE-2021-22569

CWE-69615 documents9 sources
Severity
5.5MEDIUM
EPSS
0.3%
top 49.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
10
Google LLC Google-protobuf [jruby Gem]Google LLC Protobuf-javaGoogle LLC Protobuf-kotlin+7 more
Timeline
PublishedJan 10
Latest updateJul 15

Description

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages16 packages

NVDgoogle/protobuf-java3.18.03.18.2+2
CVEListV5google_llc/protobuf-javaunspecified3.16.1+2
Mavencom.google.protobuf:protobuf-java3.18.03.18.2+2
RubyGemsgoogle-protobuf< 3.19.2

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

7
OSV
protobuf vulnerabilities2023-03-13
OSV
skylot jadx affected by Incorrect Behavior Order in vulnerable dependency2022-07-21
GHSA
skylot jadx affected by Incorrect Behavior Order in vulnerable dependency2022-07-21
OSV
CVE-2021-22569: An issue in protobuf-java allowed the interleaving of com2022-01-10
OSV
A potential Denial of Service issue in protobuf-java2022-01-07

📋Vendor Advisories

7
Oracle
Oracle Oracle Communications Applications Risk Matrix: Security (Google Protobuf-Java) — CVE-2021-225692023-07-15
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Third Party (Google Protobuf-Java) — CVE-2021-225692023-04-15
Ubuntu
Protocol Buffers vulnerabilities2023-03-13
Oracle
Oracle Oracle Database Server Risk Matrix: Oracle Spatial and Graph MapViewer (protobuf-java) — CVE-2021-225692022-04-15
Microsoft
Denial of Service of protobuf-java parsing procedure2022-01-11