CVE-2024-7254
19.09.2024, 01:15
Any project that parses untrusted Protocol Buffers datacontaining an arbitrary number of nested groups / series of SGROUPtags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.Enginsight
| Vendor | Product | Version |
|---|---|---|
| protobuf | 𝑥 < 3.25.5 | |
| protobuf | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf | 4.28.0 ≤ 𝑥 < 4.28.2 | |
| protobuf-java | 𝑥 < 3.25.5 | |
| protobuf-java | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf-java | 4.28.0 ≤ 𝑥 < 4.28.2 | |
| protobuf-javalite | 𝑥 < 3.25.5 | |
| protobuf-javalite | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf-javalite | 4.28.0 ≤ 𝑥 < 4.28.2 | |
| protobuf-kotlin | 𝑥 < 3.25.5 | |
| protobuf-kotlin | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf-kotlin | 4.28.0 ≤ 𝑥 < 4.28.2 | |
| protobuf-kotlin-lite | 𝑥 < 3.25.5 | |
| protobuf-kotlin-lite | 4.0.0 ≤ 𝑥 < 4.27.5 | |
| protobuf-kotlin-lite | 4.28.0 ≤ 𝑥 ≤ 4.28.2 | |
| netapp | active_iq_unified_manager | - |
| netapp | active_iq_unified_manager | - |
| netapp | active_iq_unified_manager | - |
| netapp | bluexp | - |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-20 - Improper Input ValidationThe product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- CWE-787 - Out-of-bounds WriteThe software writes data past the end, or before the beginning, of the intended buffer.