CVE-2024-24786Improper Validation of Syntactic Correctness of Input in Protobuf Google.golang.org Protobuf Encoding Protojson

CWE-1286Improper Validation of Syntactic Correctness of InputCWE-835Infinite Loop12 documents9 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 39.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
31
Google.golang.org Protobuf Google.golang.org Protobuf Encoding ProtojsonGoogle.golang.org Protobuf Google.golang.org Protobuf Internal Encoding JsonGoogle.golang.org Protobuf+28 more
Timeline
PublishedMar 5
Latest updateJan 15

Description

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages31 packages

🔴Vulnerability Details

4
GHSA
Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON2024-03-06
OSV
Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON2024-03-06
OSV
Infinite loop in JSON unmarshaling in google.golang.org/protobuf2024-03-05
OSV
CVE-2024-24786: The protojson2024-03-05

📋Vendor Advisories

7
Oracle
Oracle Oracle Communications Applications Risk Matrix: Core (Google Protobuf-Java) — CVE-2024-247862025-01-15
Palo Alto
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS2024-11-01
Ubuntu
Google Guest Agent and Google OS Config Agent vulnerability2024-06-25
Ubuntu
Google Guest Agent and Google OS Config Agent vulnerability2024-04-23
Microsoft
Infinite loop in JSON unmarshaling in google.golang.org/protobuf2024-03-12