Vulnerabilities > CVE-2022-3510 - Unspecified vulnerability in Google Protobuf-Java and Protobuf-Javalite

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

google

NVD

Published: 2022-12-12

Updated: 2023-11-07

Summary

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Vulnerable Configurations

Part	Description	Count
Application	Google Google Protobuf Javalite 3.17.0 Google Protobuf Javalite 3.20.0 Google Protobuf Javalite 3.21.0 Google Protobuf Javalite * Google Protobuf Java 3.21.0 Google Protobuf Java 3.21.1 Google Protobuf Java 3.21.2 Google Protobuf Java 3.21.3 Google Protobuf Java 3.21.4 Google Protobuf Java 3.21.5 Google Protobuf Java 3.21.6 Google Protobuf Java 3.20.0 Google Protobuf Java 3.20.1 Google Protobuf Java 3.20.2 Google Protobuf Java 3.16.0 Google Protobuf Java 3.16.1 Google Protobuf Java 3.19.0 Google Protobuf Java 3.19.1 Google Protobuf Java 3.19.2 Google Protobuf Java 3.19.3 Google Protobuf Java 3.19.4 Google Protobuf Java 3.19.5	32

References

https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48