CVE-2023-24535 — Out-of-bounds Read in Protobuf Google.golang.org Protobuf Internal Encoding Text

CWE-125 — Out-of-bounds Read CWE-400 — Uncontrolled Resource Consumption7 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 39.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google.golang.org Protobuf Google.golang.org Protobuf Encoding Prototext Google.golang.org Protobuf Google.golang.org Protobuf Internal Encoding Text Google.golang.org Protobuf +2 more

Timeline

PublishedJun 8

Latest updateJun 14

Description

Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5google.golang.org/protobuf_google.golang.org_protobuf_encoding_prototext1.29.0 — 1.29.1

▶CVEListV5google.golang.org/protobuf_google.golang.org_protobuf_internal_encoding_text1.29.0 — 1.29.1

▶Gogoogle.golang.org/protobuf1.29.0 — 1.29.1

▶NVDprotobuf/protobuf1.29.0

▶debiandebian/golang-google-protobuf

Patches

Patch: go.dev ↗Patch: go.dev ↗

🔴Vulnerability Details

OSV

CVE-2023-24535: Parsing invalid messages can panic↗2023-06-08

▶

OSV

Panic when parsing invalid messages in google.golang.org/protobuf↗2023-03-14

▶

GHSA

google.golang.org/protobuf vulnerable to panic leading to denial of service↗2023-03-14

▶

OSV

google.golang.org/protobuf vulnerable to panic leading to denial of service↗2023-03-14

▶

📋Vendor Advisories

Red Hat

golang/Protobuf: panic when parsing an incomplete number↗2023-06-14

▶

Debian

CVE-2023-24535: golang-google-protobuf - Parsing invalid messages can panic. Parsing a text-format message which contains...↗2023

▶