CVE-2021-22570

CWE-476 — NULL Pointer Dereference12 documents9 sources

Severity

5.5MEDIUM

EPSS

0.1%

top 66.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google LLC Protobuf Github.com Protocolbuffers/protobuf Google Protobuf +3 more

Timeline

PublishedJan 26

Latest updateMar 13

Description

Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages9 packages

▶PyPIprotobuf< 3.15.0

▶NVDgoogle/protobuf< 3.15.0

▶NuGetGoogle.Protobuf< 3.15.0

▶Packagistgoogle/protobuf< 3.15.0

▶CVEListV5google_llc/protobufunspecified — 3.15.0

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 34, 35, 36

🔴Vulnerability Details

OSV

protobuf vulnerabilities↗2023-03-13

▶

OSV

Withdrawn Advisory: NULL Pointer Dereference in Protocol Buffers↗2022-01-27

▶

GHSA

Withdrawn Advisory: NULL Pointer Dereference in Protocol Buffers↗2022-01-27

▶

CVEList

Nullptr Dereference in Protobuf↗2022-01-26

▶

OSV

CVE-2021-22570: Nullptr dereference when a null char is present in a proto symbol↗2022-01-26

▶

📋Vendor Advisories

Ubuntu

Protocol Buffers vulnerabilities↗2023-03-13

▶

Ubuntu

Protocol Buffers vulnerability↗2022-06-21

▶

Oracle

Oracle Oracle MySQL Risk Matrix: Server: Compiling (protobuf) — CVE-2021-22570↗2022-04-15

▶

Red Hat

protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference↗2022-01-26

▶

Microsoft

Nullptr Dereference in Protobuf↗2022-01-11

▶