CVE-2021-3121
published 2021-01-11CVE-2021-3121: An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
PriorityP345high8.6CVSS 3.1
AVNACLPRNUINSUCLILAH
EPSS
3.48%
87.6th percentile
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-gogoprotobuf | < golang-gogoprotobuf 1.3.2-1 (bookworm) | golang-gogoprotobuf 1.3.2-1 (bookworm) |
| github.com | gogo_protobuf | >= 0 < 1.3.2 | 1.3.2 |
| golang | protobuf | < 1.3.2 | 1.3.2 |
| hashicorp | consul | < 1.8.15 | 1.8.15 |
| hashicorp | consul | >= 1.10.0 < 1.10.2 | 1.10.2 |
| hashicorp | consul | >= 1.9.0 < 1.9.9 | 1.9.9 |
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv8.6HIGH
vendor_debian8.6HIGH
vendor_redhat8.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper Input Validation in GoGo Protobuf
osv·2022-03-28
CVE-2021-3121 [HIGH] Improper Input Validation in GoGo Protobuf
Improper Input Validation in GoGo Protobuf
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
GHSA
Improper Input Validation in GoGo Protobuf
ghsa·2022-03-28
CVE-2021-3121 [HIGH] CWE-129 Improper Input Validation in GoGo Protobuf
Improper Input Validation in GoGo Protobuf
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
OSV
Panic due to improper input validation in github.com/gogo/protobuf
osv·2021-04-14
CVE-2021-3121 Panic due to improper input validation in github.com/gogo/protobuf
Panic due to improper input validation in github.com/gogo/protobuf
Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.
OSV
CVE-2021-3121: An issue was discovered in GoGo Protobuf before 1
osv·2021-01-11·CVSS 8.6
CVE-2021-3121 [HIGH] CVE-2021-3121: An issue was discovered in GoGo Protobuf before 1
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
Red Hat
gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
vendor_redhat·2021-01-11·CVSS 8.6
CVE-2021-3121 [HIGH] CWE-129 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
A flaw was found in github.com/gogo/protobuf before 1.3.2 that allows an out-of-bounds access when unmarshalling certain protobuf objects. This flaw allows a remote attacker to send crafted protobuf messages, causing panic and resulting in a denial of service. The highest threat from this vulnerability is to availability.
Statement: OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat OpenShift Jaeger (RHOSJ) all include code generated by github.com/gogo/protobuf to parse protobuf messages. However, no component is known to accept proto
Debian
CVE-2021-3121: golang-gogoprotobuf - An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarsha...
vendor_debian·2021·CVSS 8.6
CVE-2021-3121 [HIGH] CVE-2021-3121: golang-gogoprotobuf - An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarsha...
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
Scope: local
bookworm: resolved (fixed in 1.3.2-1)
bullseye: resolved (fixed in 1.3.2-1)
forky: resolved (fixed in 1.3.2-1)
sid: resolved (fixed in 1.3.2-1)
trixie: resolved (fixed in 1.3.2-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bchttps://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff%40%3Cnotifications.skywalking.apache.org%3Ehttps://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e%40%3Ccommits.pulsar.apache.org%3Ehttps://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44%40%3Ccommits.pulsar.apache.org%3Ehttps://security.netapp.com/advisory/ntap-20210219-0006/https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bchttps://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff%40%3Cnotifications.skywalking.apache.org%3Ehttps://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e%40%3Ccommits.pulsar.apache.org%3Ehttps://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44%40%3Ccommits.pulsar.apache.org%3Ehttps://security.netapp.com/advisory/ntap-20210219-0006/
2021-01-11
Published