CVE-2022-1941 — Improper Validation of Syntactic Correctness of Input in Google Protobuf-cpp
Severity
7.5HIGHNVD
OSV8.8OSV5.5
EPSS
0.2%
top 61.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 22
Latest updateFeb 14
Description
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upg…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages33 packages
Also affects: Debian Linux 10.0, Fedora 36, 37
🔴Vulnerability Details
5OSV▶
CVE-2022-1941: A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3↗2022-09-22