CVE-2024-7254

Name
CVE-2024-7254
Description
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa

Match rules

CPE URI Source package Min version Max version
protocol-buffers >= 0 < 28.2
protobuf-java >= 0 < 3.25.5
protobuf-java >= 0 < 4.27.5
protobuf-java >= 0 < 4.28.2
protobuf-javalite >= 0 < 3.25.5
protobuf-javalite >= 0 < 4.27.5
protobuf-javalite >= 0 < 4.28.2
protobuf-kotlin >= 0 < 3.25.5
protobuf-kotlin >= 0 < 4.27.5
protobuf-kotlin >= 0 < 4.28.2
protobuf-kotllin-lite >= 0 < 3.25.5
protobuf-kotllin-lite >= 0 < 4.27.5
protobuf-kotllin-lite >= 0 < 4.28.2
google-protobuf-[jruby-gem] >= 0 < 3.25.5
google-protobuf-[jruby-gem] >= 0 < 4.27.5
google-protobuf-[jruby-gem] >= 0 < 4.28.2
cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:* protobuf >= 0 < 28.2
cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:* ruby-google-protobuf >= 0 < 3.25.5
cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:* ruby-google-protobuf >= 4.27 < 4.27.5
cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:* ruby-google-protobuf >= 4.28 < 4.28.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
protobuf edge-main 24.4-r3 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
protobuf 3.20-main 24.4-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
protobuf 3.19-main 24.4-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
protobuf 3.18-main 3.21.12-r2 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
protobuf 3.17-main 3.21.9-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable