Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-3510

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Published

2022-12-12T13:15:14.670

Last Modified

2025-04-22T15:15:59.860

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Primary
NVD-CWE-noinfo
Type: Secondary
CWE-400

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	google	protobuf-java	< 3.16.3	Yes
Application	google	protobuf-java	< 3.19.6	Yes
Application	google	protobuf-java	< 3.20.3	Yes
Application	google	protobuf-java	< 3.21.7	Yes
Application	google	protobuf-javalite	< 3.16.3	Yes
Application	google	protobuf-javalite	< 3.19.6	Yes
Application	google	protobuf-javalite	< 3.20.3	Yes
Application	google	protobuf-javalite	< 3.21.7	Yes

References

https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48 Patch, Third Party Advisory ([email protected])
https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)