Input validation error in protobuf

#VU69670 Input validation error in protobuf

Published: 2022-11-29 | Updated: 2024-03-21

Vulnerability identifier: #VU69670

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-3509

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
protobuf
Other software / Other software solutions

Vendor: Google

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when parsing textformat data. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

protobuf: 3.16.0 - 3.21.6

External links
http://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9
http://www.ibm.com/support/pages/node/6960535

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Tivoli Business Service Manager

Multiple vulnerabilities in IBM OpenPages with Watson

Multiple vulnerabilities in IBM Storage Protect Server

Jira Software Data Center and Server update for protobuf-java

Multiple vulnerabilities in IBM Transformation Extender Advanced

Multiple vulnerablities in Juniper Networks Juniper Secure Analytics

Multiple vulnerabilities in IBM Disconnected Log Collector

Multiple vulnerabilities in IBM QRadar SIEM

Splunk User Behavior Analytics (UBA) update for third-party software

Multiple vulnerabilities in IBM Observability with Instana (OnPrem)