Vulnerability in Protobuf-java LibraryIssue date: 06-01-2023
Affects versions: 15.1, 14.7, 13.4
Security Issue ID
Affected Product Version(s)
15.1.4, 14.7.12, 13.4.21 and previous releases.
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
- Base Score: HIGH (7.5)
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Customers are recommended to upgrade to the latest version. As of the time of writing, 15.2.0, 14.7.13, 13.4.22.