1) Input validation error

EUVDB-ID: #VU69293

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-3171

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input containing multiple instances of non-repeated embedded messages with repeated or unknown fields. A remote attacker can cause objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

protobuf: 3.16.0 - 3.21.6

---

CPE2.3

• cpe:2.3:a:google:protobuf:3.21.6:*:*:*:*:*:*:*

External links

http://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
http://www.ibm.com/support/pages/node/6960535

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Input validation error

EUVDB-ID: #VU69670

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-3509

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when parsing textformat data. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

protobuf: 3.16.0 - 3.21.6

---

CPE2.3

• cpe:2.3:a:google:protobuf:3.21.6:*:*:*:*:*:*:*

External links

http://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9
http://www.ibm.com/support/pages/node/6960535

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?