Vulnerability Details : CVE-2021-3121
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
Products affected by CVE-2021-3121
- cpe:2.3:a:golang:protobuf:*:*:*:*:*:*:*:*
- cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*
- cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*
- cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-3121
1.30%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 86 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-3121
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
8.6
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H |
3.9
|
4.7
|
NIST |
CWE ids for CVE-2021-3121
-
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-3121
-
https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025
HCSEC-2021-23 - Consul Exposed to Denial of Service in GoGo Protobuf Dependency - Security - HashiCorp DiscussThird Party Advisory
-
https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar-client-go] hrsakai opened a new pull request #446: Upgrade gogo/protobuf to 1.3.2 - Pony MailMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20210219-0006/
CVE-2021-3121 GoGo Protobuf Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E
[GitHub] [skywalking-swck] hanahmily opened a new pull request #37: Fix vulnerabilities - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar-client-go] hrsakai opened a new pull request #446: Upgrade gogo/protobuf to 1.3.2 - Pony MailMailing List;Third Party Advisory
-
https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2
Comparing v1.3.1...v1.3.2 · gogo/protobuf · GitHubPatch;Third Party Advisory
-
https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc
skippy peanut butter · gogo/protobuf@b03c65e · GitHubPatch;Third Party Advisory
Jump to