You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
mend-bolt-for-githubbot
changed the title
CVE-2022-1941 (Medium) detected in google.protobuf.3.6.1.nupkg
CVE-2022-1941 (High) detected in google.protobuf.3.6.1.nupkg
Oct 14, 2022
CVE-2022-1941 - High Severity Vulnerability
Vulnerable Library - google.protobuf.3.6.1.nupkg
C# runtime library for Protocol Buffers - Google's data interchange format.
Library home page: https://api.nuget.org/packages/google.protobuf.3.6.1.nupkg
Path to dependency file: /src/NetCore2Blockly/TestBlocklyHtml/TestBlocklyHtml.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/google.protobuf/3.6.1/google.protobuf.3.6.1.nupkg
Dependency Hierarchy:
Found in HEAD commit: 45bca1ef1994d3c69095e1ff017f4242094e5825
Found in base branch: master
Vulnerability Details
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Publish Date: 2022-09-22
URL: CVE-2022-1941
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cloud.google.com/support/bulletins#GCP-2022-019
Release Date: 2022-09-22
Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: