CVE-2015-5237 : protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.

protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.

Published 2017-09-25 17:29:00

Updated 2023-02-12 23:15:34

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: OverflowMemory Corruption

Exploit prediction scoring system (EPSS) score for CVE-2015-5237

Probability of exploitation activity in the next 30 days: 1.68%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 86 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2015-5237

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2015-5237

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-5237

https://lists.apache.org/thread.html/re6d04a214424a97ea59c62190d79316edf311a0a6346524dfef3b940%40%3Ccommits.pulsar.apache.org%3E

[GitHub] [pulsar] guyv commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)-Apache Mail Archives
https://lists.apache.org/thread.html/r4886108206d4c535db9b20c813fe4723d4fe6a91b9278382af8b9d08%40%3Cissues.spark.apache.org%3E

[jira] [Commented] (SPARK-35877) Spark Protobuf jar has CVE issue CVE-2015-5237-Apache Mail Archives
https://bugzilla.redhat.com/show_bug.cgi?id=1256426

1256426 – (CVE-2015-5237) CVE-2015-5237 protobuf: integer overflow in serialization
Issue Tracking;Third Party Advisory
https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cdev.flink.apache.org%3E

Dependency vulnerabilities with Apache Flink 1.10.1 version-Apache Mail Archives
https://lists.apache.org/thread.html/r1d274d647b3c2060df9be21eade4ce56d3a59998cf19ac72662dd994%40%3Ccommits.pulsar.apache.org%3E

[GitHub] [pulsar] codelipenghui closed issue #9250: Protobuf version used in broker and client affected by vulnerability CVE-2015-5237-Apache Mail Archives
https://lists.apache.org/thread.html/r00d9ab1fc0f1daf14cd4386564dd84f7889404438d81462c86dfa836%40%3Ccommon-dev.hadoop.apache.org%3E

[jira] [Created] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities CVEs #CVE-2015-5237-Apache Mail Archives
https://lists.apache.org/thread.html/rb40dc9d63a5331bce8e80865b7fa3af9dd31e16555affd697b6f3526%40%3Cissues.spark.apache.org%3E

[jira] [Assigned] (SPARK-35877) Spark Protobuf jar has CVE issue CVE-2015-5237-Apache Mail Archives
https://lists.apache.org/thread.html/r42ef6acfb0d86a2df0c2390702ecbe97d2104a331560f2790d17ca69%40%3Ccommits.pulsar.apache.org%3E

[GitHub] [pulsar] sijie commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)-Apache Mail Archives
https://lists.apache.org/thread.html/r14fa8d38d5757254f1a2e112270c996711d514de2e3b01c93d397ab4%40%3Cissues.spark.apache.org%3E

[jira] [Resolved] (SPARK-35877) Spark Protobuf jar has CVE issue CVE-2015-5237-Apache Mail Archives
http://www.openwall.com/lists/oss-security/2015/08/27/2

oss-security - CVE-2015-5237: Integer overflow in protobuf serialization (currently minor)
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E

Dependencies used by Drill contain known vulnerabilities-Apache Mail Archives

CVEs referencing this url
https://lists.apache.org/thread.html/r4ef574a5621b0e670a3ce641e9922543e34f22bf4c9ee9584aa67fcf%40%3Cissues.hbase.apache.org%3E

[jira] [Commented] (HBASE-26234) Protobuf-java-2.5.0.jar Has Several Security Vulnerabilities，CVE-2015-5237，CVE-2019-15544-Apache Mail Archives
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities-Apache Mail Archives

CVEs referencing this url
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities-Apache Mail Archives

CVEs referencing this url
https://lists.apache.org/thread.html/rd64381fb8f92d640c1975dc50dcdf1b8512e02a2a7b20292d3565cae%40%3Cissues.hbase.apache.org%3E

[jira] [Created] (HBASE-26234) Protobuf-java-2.5.0.jar Has Several Security Vulnerabilities，CVE-2015-5237，CVE-2019-15544-Apache Mail Archives
https://lists.apache.org/thread.html/r17dc6f394429f6bffb5e4c66555d93c2e9923cbbdc5a93db9a56c1c7%40%3Ccommits.pulsar.apache.org%3E

[GitHub] [pulsar] gaoran10 edited a comment on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)-Apache Mail Archives
https://lists.apache.org/thread.html/r764fc66435ee4d185d359c28c0887d3e5866d7292a8d5598d9e7cbc4%40%3Ccommon-issues.hadoop.apache.org%3E

[jira] [Updated] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities #CVE-2015-5237-Apache Mail Archives
https://lists.apache.org/thread.html/r5741f4dbdd129dbb9885f5fb170dc1b24a06b9313bedef5e67fded94%40%3Cissues.spark.apache.org%3E

[jira] [Created] (SPARK-35877) Spark Protobuf jar has CVE issue CVE-2015-5237-Apache Mail Archives
https://lists.apache.org/thread.html/rf7539287c90be979bac94af9aaba34118fbf968864944b4871af48dd%40%3Ccommits.pulsar.apache.org%3E

[GitHub] [pulsar] merlimat commented on issue #9250: Protobuf version used in broker and client affected by vulnerability CVE-2015-5237-Apache Mail Archives
https://lists.apache.org/thread.html/r0ca83171c4898dc92b86fa6f484a7be1dc96206765f4d01dce0f1b28%40%3Ccommon-issues.hadoop.apache.org%3E

[jira] [Commented] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities #CVE-2015-5237-Apache Mail Archives
https://lists.apache.org/thread.html/r7fed8dd9bee494094e7011cf3c2ab75bd8754ea314c6734688c42932%40%3Ccommon-issues.hadoop.apache.org%3E

[jira] [Updated] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities #CVE-2015-5237, CVE-2019-15544-Apache Mail Archives
https://lists.apache.org/thread.html/r1263fa5b51e4ec3cb8f09ff40e4747428c71198e9bee93349ec96a3c%40%3Ccommits.pulsar.apache.org%3E

[GitHub] [pulsar] guyv edited a comment on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)-Apache Mail Archives
https://lists.apache.org/thread.html/r320dc858da88846ba00bb077bcca2cdf75b7dde0f6eb3a3d60dba6a1%40%3Ccommits.pulsar.apache.org%3E

[GitHub] [pulsar] gaoran10 edited a comment on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)-Apache Mail Archives
https://lists.apache.org/thread.html/ra28fed69eef3a71e5fe5daea001d0456b05b102044237330ec5c7c82%40%3Ccommits.pulsar.apache.org%3E

[GitHub] [pulsar] guyv opened a new issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.)-Apache Mail Archives
https://lists.apache.org/thread.html/r5e52caf41dc49df55b4ee80758356fe1ff2a88179ff24c685de7c28d%40%3Ccommits.pulsar.apache.org%3E

[GitHub] [pulsar] fmiguelez opened a new issue #9250: Protobuf version used in broker and client affected by vulnerability CVE-2015-5237-Apache Mail Archives
https://lists.apache.org/thread.html/r85c9a764b573c786224688cc906c27e28343e18f5b33387f94cae90f%40%3Ccommits.pulsar.apache.org%3E

[GitHub] [pulsar] sijie commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)-Apache Mail Archives
https://lists.apache.org/thread.html/r42e47994734cd1980ef3e204a40555336e10cc80096927aca2f37d90%40%3Ccommits.pulsar.apache.org%3E

[GitHub] [pulsar] gaoran10 commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)-Apache Mail Archives
https://lists.apache.org/thread.html/r00097d0b5b6164ea428554007121d5dc1f88ba2af7b9e977a10572cd%40%3Cdev.hbase.apache.org%3E

[jira] [Created] (HBASE-26234) Protobuf-java-2.5.0.jar Has Several Security Vulnerabilities，CVE-2015-5237，CVE-2019-15544-Apache Mail Archives
https://lists.apache.org/thread.html/rb71dac1d9dd4e8a8ae3dbc033aeae514eda9be1263c1df3b42a530a2%40%3Ccommits.pulsar.apache.org%3E

[GitHub] [pulsar] gaoran10 commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)-Apache Mail Archives
https://lists.apache.org/thread.html/r2ea33ce5591a9cb9ed52750b6ab42ab658f529a7028c3166ba93c7d5%40%3Ccommon-issues.hadoop.apache.org%3E

[jira] [Created] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities CVEs #CVE-2015-5237-Apache Mail Archives
https://github.com/google/protobuf/issues/760

CVE-2015-5237: Integer overflow in serialization · Issue #760 · protocolbuffers/protobuf · GitHub
Issue Tracking;Third Party Advisory
https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cuser.flink.apache.org%3E

Dependency vulnerabilities with Apache Flink 1.10.1 version-Apache Mail Archives

Products affected by CVE-2015-5237

Google » Protobuf
Versions up to, including, (<=) 3.1.0
cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2015-5237

Exploit prediction scoring system (EPSS) score for CVE-2015-5237

CVSS scores for CVE-2015-5237

CWE ids for CVE-2015-5237

References for CVE-2015-5237

Products affected by CVE-2015-5237