CVE-2022-3509: A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a…

high7.5CVSS 3.1

AVNACLPRNUINSUCNINAH

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Affected

18 ranges

Vendor	Product	Version range	Fixed in
atlassian	jira_software	—	—
debian	protobuf	< protobuf 3.21.9-3 (bookworm)	protobuf 3.21.9-3 (bookworm)
google	protobuf	>= 0 < 3.21.9-3	3.21.9-3
google	protobuf	>= 0 < 3.21.9-3	3.21.9-3
google	protobuf	>= 0 < 3.21.9-3	3.21.9-3
google	protobuf-java	>= 3.16.0 < 3.16.3	3.16.3
google	protobuf-java	>= 3.19.0 < 3.19.6	3.19.6
google	protobuf-java	>= 3.20.0 < 3.20.3	3.20.3
google	protobuf-java	>= 3.21.0 < 3.21.7	3.21.7
google	protobuf-javalite	>= 3.16.0 < 3.16.3	3.16.3
google	protobuf-javalite	>= 3.17.0 < 3.19.6	3.19.6
google	protobuf-javalite	>= 3.20.0 < 3.20.3	3.20.3
google	protobuf-javalite	>= 3.21.0 < 3.21.7	3.21.7
msrc	azl3_python-tensorboard_2.11.0-3_on_azure_linux_3.0	—	—
msrc	azl3_python-tensorboard_2.16.2-2_on_azure_linux_3.0	—	—
msrc	azl3_pytorch_2.2.2-7_on_azure_linux_3.0	—	—
msrc	azure_linux_3.0_arm	—	—
msrc	azure_linux_3.0_x64	—	—

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

ghsa7.5HIGH

osv7.5HIGH