Main Vulnerability Database Vulnerabilities #VU97574

#VU97574 Uncontrolled Recursion in protobuf - CVE-2024-7254

Published: September 19, 2024

Vulnerability identifier: #VU97574

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-7254

CWE-ID: CWE-674

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
protobuf

Software vendor:
Google

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields. A remote attacker can pass specially crafted input to the application to create unbounded recursions and perform a denial of service (DoS) attack.

Remediation

Install updates from vendor's website.

External links

https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa

#VU97574 Uncontrolled Recursion in protobuf - CVE-2024-7254

Description

Remediation

External links

Please verify you're human