CVE-2022-1941

CVE-2022-1941

Name

CVE-2022-1941

Description

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
CONFIRM	https://cloud.google.com/support/bulletins#GCP-2022-019
CONFIRM	https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
MLIST	http://www.openwall.com/lists/oss-security/2022/09/27/1
Mailing List	https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/

Type

URI

CONFIRM

https://cloud.google.com/support/bulletins#GCP-2022-019

CONFIRM

https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf

MLIST

http://www.openwall.com/lists/oss-security/2022/09/27/1

Mailing List

https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:google:protobuf-cpp::::::::`	protobuf-cpp	>= 3.21.0	< 3.21.6
`cpe:2.3:a:google:protobuf-cpp::::::::`	protobuf-cpp	>= 3.20.0	< 3.20.2
`cpe:2.3:a:google:protobuf-cpp::::::::`	protobuf-cpp	>= 3.19.0	< 3.19.5
`cpe:2.3:a:google:protobuf-cpp::::::::`	protobuf-cpp	>= None	< 3.18.3
`cpe:2.3:a:google:protobuf-python::::::::`	protobuf-python	>= 4.0.0	< 4.21.6
`cpe:2.3:a:google:protobuf-python::::::::`	protobuf-python	>= 3.20.0	< 3.20.2
`cpe:2.3:a:google:protobuf-python::::::::`	protobuf-python	>= 3.19.0	< 3.19.5
`cpe:2.3:a:google:protobuf-python::::::::`	protobuf-python	>= None	< 3.18.3

CPE URI

Source package

Min version

Max version

cpe:2.3:a:google:protobuf-cpp:*:*:*:*:*:*:*:*

protobuf-cpp

>= 3.21.0

< 3.21.6

cpe:2.3:a:google:protobuf-cpp:*:*:*:*:*:*:*:*

protobuf-cpp

>= 3.20.0

< 3.20.2

cpe:2.3:a:google:protobuf-cpp:*:*:*:*:*:*:*:*

protobuf-cpp

>= 3.19.0

< 3.19.5

cpe:2.3:a:google:protobuf-cpp:*:*:*:*:*:*:*:*

protobuf-cpp

>= None

< 3.18.3

cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:*

protobuf-python

>= 4.0.0

< 4.21.6

cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:*

protobuf-python

>= 3.20.0

< 3.20.2

cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:*

protobuf-python

>= 3.19.0

< 3.19.5

cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:*

protobuf-python

>= None

< 3.18.3

References

Match rules

Vulnerable and fixed packages