CVE-2024-7254
EUVD-2024-274119.09.2024, 01:15
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| protobuf | 𝑥 < 3.25.5 | |
| protobuf | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf | 4.28.0 ≤ 𝑥 < 4.28.2 | |
| protobuf-java | 𝑥 < 3.25.5 | |
| protobuf-java | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf-java | 4.28.0 ≤ 𝑥 < 4.28.2 | |
| protobuf-javalite | 𝑥 < 3.25.5 | |
| protobuf-javalite | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf-javalite | 4.28.0 ≤ 𝑥 < 4.28.2 | |
| protobuf-kotlin | 𝑥 < 3.25.5 | |
| protobuf-kotlin | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf-kotlin | 4.28.0 ≤ 𝑥 < 4.28.2 | |
| protobuf-kotlin-lite | 𝑥 < 3.25.5 | |
| protobuf-kotlin-lite | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf-kotlin-lite | 4.28.0 ≤ 𝑥 ≤ 4.28.2 | |
| netapp | active_iq_unified_manager | - |
| netapp | active_iq_unified_manager | - |
| netapp | active_iq_unified_manager | - |
| netapp | bluexp | - |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| protobuf |
|
Common Weakness Enumeration
- CWE-400 - Uncontrolled Resource ConsumptionThe software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
- CWE-787 - Out-of-bounds WriteThe software writes data past the end, or before the beginning, of the intended buffer.