Vulnerability Details : CVE-2022-1941
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Vulnerability category: Denial of service
Products affected by CVE-2022-1941
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-cpp:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-cpp:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-cpp:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-cpp:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-1941
0.33%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-1941
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2024-08-01 |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2022-1941
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
-
The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.Assigned by: cve-coordination@google.com (Secondary)
References for CVE-2022-1941
-
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
A potential Denial of Service issue in protobuf-cpp and protobuf-python · Advisory · protocolbuffers/protobuf · GitHubThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/
[SECURITY] Fedora 37 Update: protobuf-3.19.6-1.fc37 - package-announce - Fedora mailing-lists
-
https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
[SECURITY] [DLA 3393-1] protobuf security updateMailing List
-
https://cloud.google.com/support/bulletins#GCP-2022-019
Security Bulletins | Customer Care | Google CloudThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/
[SECURITY] Fedora 36 Update: perl-Alien-ProtoBuf-0.09-17.fc36 - package-announce - Fedora mailing-lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/
[SECURITY] Fedora 37 Update: protobuf-3.19.6-1.fc37 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20240705-0001/
CVE-2022-1941 Protobuf-cpp & Protobuf-python Vulnerability in NetApp Products | NetApp Product Security
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/
Mailing List
-
http://www.openwall.com/lists/oss-security/2022/09/27/1
oss-security - CVE-2022-1941: Protobuf C++, Python DoSMailing List;Third Party Advisory
Jump to