Improper Validation of Array Index in Protobuf - CVE-2021-3121
Published: May 6, 2021
Vulnerability identifier: #VU52902
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2021-3121
CWE-ID: CWE-129
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Gogo
Affected software:
Protobuf
Protobuf
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper validation of index array in plugin/unmarshal/unmarshal.go. A remote attacker can pass specially crafted data to the application and bypass implemented security restrictions, possibly leading to remote code execution.
How to mitigate CVE-2021-3121
Install updates from vendor's website.
Sources
- https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc
- https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2
- https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210219-0006/