CVE-2024-7254
19.09.2024, 01:15
Any project that parses untrusted Protocol Buffers datacontaining an arbitrary number of nested groups / series of SGROUPtags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.Enginsight
| Vendor | Product | Version |
|---|---|---|
| protobuf | 𝑥 < 3.25.5 | |
| protobuf | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf | 4.28.0 ≤ 𝑥 < 4.28.2 | |
| protobuf-java | 𝑥 < 3.25.5 | |
| protobuf-java | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf-java | 4.28.0 ≤ 𝑥 < 4.28.2 | |
| protobuf-javalite | 𝑥 < 3.25.5 | |
| protobuf-javalite | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf-javalite | 4.28.0 ≤ 𝑥 < 4.28.2 | |
| protobuf-kotlin | 𝑥 < 3.25.5 | |
| protobuf-kotlin | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf-kotlin | 4.28.0 ≤ 𝑥 < 4.28.2 | |
| protobuf-kotlin-lite | 𝑥 < 3.25.5 | |
| protobuf-kotlin-lite | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf-kotlin-lite | 4.28.0 ≤ 𝑥 ≤ 4.28.2 | |
| netapp | active_iq_unified_manager | - |
| netapp | active_iq_unified_manager | - |
| netapp | active_iq_unified_manager | - |
| netapp | bluexp | - |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| protobuf |
|
Common Weakness Enumeration
- CWE-400 - Uncontrolled Resource ConsumptionThe software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
- CWE-787 - Out-of-bounds WriteThe software writes data past the end, or before the beginning, of the intended buffer.