CVE-2022-3509

CWE-400 — Uncontrolled Resource Consumption CWE-9159 documents8 sources

Severity

7.5HIGH

EPSS

0.1%

top 67.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Protocolbuffers Google Protobuf-java Google Protobuf-javalite

Timeline

PublishedDec 12

Latest updateMar 19

Description

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶NVDgoogle/protobuf-javalite3.16.0 — 3.16.3+3

▶Mavencom.google.protobuf:protobuf-javalite3.20.0 — 3.20.3+2

▶NVDgoogle/protobuf-java3.16.0 — 3.16.3+3

▶Mavencom.google.protobuf:protobuf-java3.0.0 — 3.16.3+3

▶Debianprotobuf< 3.21.9-3+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-3509: A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3↗2022-12-12

▶

GHSA

Protobuf Java vulnerable to Uncontrolled Resource Consumption↗2022-12-12

▶

OSV

Protobuf Java vulnerable to Uncontrolled Resource Consumption↗2022-12-12

▶

CVEList

Parsing issue in protobuf textformat↗2022-11-01

▶

📋Vendor Advisories

Atlassian

CVE-2022-3509: DoS (Denial of Service) com.google.protobuf:protobuf-java Dependency in Jira Software Data Center and Server↗2024-03-19

▶

Red Hat

protobuf-java: Textformat parsing issue leads to DoS↗2022-12-15

▶

Microsoft

Parsing issue in protobuf textformat↗2022-11-08

▶

Debian

CVE-2022-3509: protobuf - A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java c...↗2022

▶