CVE-2024-7254
EUVD-2024-274119.09.2024, 01:15
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| protobuf | 𝑥 < 3.25.5 | |
| protobuf | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf | 4.28.0 ≤ 𝑥 < 4.28.2 | |
| protobuf-java | 𝑥 < 3.25.5 | |
| protobuf-java | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf-java | 4.28.0 ≤ 𝑥 < 4.28.2 | |
| protobuf-javalite | 𝑥 < 3.25.5 | |
| protobuf-javalite | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf-javalite | 4.28.0 ≤ 𝑥 < 4.28.2 | |
| protobuf-kotlin | 𝑥 < 3.25.5 | |
| protobuf-kotlin | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf-kotlin | 4.28.0 ≤ 𝑥 < 4.28.2 | |
| protobuf-kotlin-lite | 𝑥 < 3.25.5 | |
| protobuf-kotlin-lite | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf-kotlin-lite | 4.28.0 ≤ 𝑥 ≤ 4.28.2 | |
| netapp | active_iq_unified_manager | - |
| netapp | active_iq_unified_manager | - |
| netapp | active_iq_unified_manager | - |
| netapp | bluexp | - |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| protobuf | 𝑥 < 28.2 | ADP | |
| protobuf-kotlin-lite | 𝑥 < 3.25.5 | ADP | |
| protobuf-kotlin-lite | 4.27 ≤ 𝑥 < 4.27.5 | ADP | |
| protobuf-kotlin-lite | 4.28 ≤ 𝑥 < 4.28.2 | ADP |
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| protobuf |
|
openSUSE / SLES Releases
openSUSE Product | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| libprotobuf-lite25_1_0 |
| ||||||||||||||||||||
| libprotobuf25_1_0 |
| ||||||||||||||||||||
| libprotoc25_1_0 |
| ||||||||||||||||||||
| protobuf-devel |
| ||||||||||||||||||||
| python311-protobuf |
|
Common Weakness Enumeration
- CWE-400 - Uncontrolled Resource ConsumptionThe software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
- CWE-787 - Out-of-bounds WriteThe software writes data past the end, or before the beginning, of the intended buffer.