CVE-2022-3171 — Improper Input Validation in Google Google-protobuf
Severity
7.5HIGHNVD
CNA4.3GHSA4.3
EPSS
0.1%
top 66.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedOct 12
Latest updateMar 19
Description
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages9 packages
Also affects: Fedora 37
🔴Vulnerability Details
6OSV▶
CVE-2022-3171: A parsing issue with binary data in protobuf-java core and lite versions prior to 3↗2022-10-12
📋Vendor Advisories
10Atlassian▶
CVE-2022-3171: DoS (Denial of Service) com.google.protobuf:protobuf-java Dependency in Jira Software Data Center and Server↗2024-03-19
Oracle
▶
Oracle▶
Oracle Oracle Financial Services Applications Risk Matrix: Accessibility (Google Protobuf-Java) — CVE-2022-3171↗2023-07-15
Oracle▶
Oracle Oracle Communications Applications Risk Matrix: Core (Google Protobuf-Java) — CVE-2022-3171↗2023-04-15
Oracle▶
Oracle Oracle Communications Applications Risk Matrix: Policy (Google Protobuf-Java) — CVE-2022-3171↗2023-01-15