Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Improve][CVE] Protobuf Java vulnerable to Uncontrolled Resource Consumption #6867

Closed
2 tasks done
dockerzhang opened this issue Dec 13, 2022 · 0 comments · Fixed by #6868
Closed
2 tasks done

[Improve][CVE] Protobuf Java vulnerable to Uncontrolled Resource Consumption #6867

dockerzhang opened this issue Dec 13, 2022 · 0 comments · Fixed by #6868
Assignees
@dockerzhang
Labels
type/improve
Milestone
1.5.0

Comments

@dockerzhang
Copy link
Contributor

Description

https://github.com/dockerzhang/incubator-inlong/security/dependabot/95

A parsing issue similar to GHSA-h4h5-3hr4-j3g2, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

InLong Component

Other for not specified component

Are you willing to submit PR?

  • Yes, I am willing to submit a PR!

Code of Conduct
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dockerzhang dockerzhang

Labels
type/improve
Projects
None yet
Milestone
1.5.0
Development

Successfully merging a pull request may close this issue.

[INLONG-6867][CVE] Bump protobuf to 3.19.6 to fix Java vulnerable dockerzhang/incubator-inlong
1 participant
@dockerzhang