CVE-2022-48468 : protobuf-c before 1.4.1 has an unsigned integer overflow in parse_required

protobuf-c before 1.4.1 has an unsigned integer overflow in parse_required_member.

Published 2023-04-13 21:15:07

Updated 2023-04-29 07:15:07

Source MITRE

View at NVD, CVE.org

Vulnerability category: Overflow

Exploit prediction scoring system (EPSS) score for CVE-2022-48468

Probability of exploitation activity in the next 30 days: 0.04%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE-190 Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

Assigned by: nvd@nist.gov (Primary)

https://github.com/protobuf-c/protobuf-c/commit/ec3d900001a13ccdaa8aef996b34c61159c76217

Merge pull request #513 from protobuf-c/edmonds/issue499 · protobuf-c/protobuf-c@ec3d900 · GitHub
Patch
https://github.com/protobuf-c/protobuf-c/releases/tag/v1.4.1

Release protobuf-c 1.4.1 · protobuf-c/protobuf-c · GitHub
Patch;Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UGLZZYPOLI733DPETL444E3GY5KSS6LG/

[SECURITY] Fedora 36 Update: libsignal-protocol-c-2.3.3-7.fc36 - package-announce - Fedora Mailing-Lists
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EI4JZSHJXW7WOOTAQSV5SUCC5GE2GC2B/

[SECURITY] Fedora 38 Update: libsignal-protocol-c-2.3.3-9.fc38 - package-announce - Fedora Mailing-Lists
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNUEZZEPR2F6M67ANXLOPJX6AQL3TK4P/

[SECURITY] Fedora 37 Update: libsignal-protocol-c-2.3.3-8.fc37 - package-announce - Fedora Mailing-Lists
https://github.com/protobuf-c/protobuf-c/issues/499

unsigned integer overflow · Issue #499 · protobuf-c/protobuf-c · GitHub
Issue Tracking;Patch;Third Party Advisory
https://github.com/protobuf-c/protobuf-c/pull/513

Fix issue #499: unsigned integer overflow by edmonds · Pull Request #513 · protobuf-c/protobuf-c · GitHub
Patch;Third Party Advisory

Protobuf-c Project » Protobuf-c
Versions before (<) 1.4.1
cpe:2.3:a:protobuf-c_project:protobuf-c:*:*:*:*:*:*:*:*
Matching versions