CVE-2021-22569

CVE-2021-22569

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Published Jan 10, 2022

https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67

CVSS ScoreMedium

5.5

Vulnerabilities

CVE-2021-22569

Published Jan 10, 2022

https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67

CVSS ScoreMedium

5.5

CVE-2021-22569 Security Details

CVE ID: CVE-2021-22569
CWE: CWE-696
NVD-CWE-noinfo
CVE Description: An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
Published: Jan 10, 2022
CVSS Score & Severity: 5.5Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Score: 0.268%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: com/google/protobuf/UnknownFieldSet$Builder.addField(ILcom/google/protobuf/UnknownFieldSet$Field;)Lcom/google/protobuf/UnknownFieldSet$Builder;
JVMVulnerable params: 0
com/google/protobuf/UnknownFieldSet$Builder.clearField(I)Lcom/google/protobuf/UnknownFieldSet$Builder;
JVMVulnerable params: 0
com/google/protobuf/UnknownFieldSet$Builder.clone()Ljava/lang/Object;
JVM
com/google/protobuf/UnknownFieldSet$Builder.hasField(I)Z
JVMVulnerable params: 0
com/google/protobuf/UnknownFieldSet$Builder.mergeField(ILcom/google/protobuf/UnknownFieldSet$Field;)Lcom/google/protobuf/UnknownFieldSet$Builder;
JVMVulnerable params: 0
com/google/protobuf/UnknownFieldSet$Builder.mergeLengthDelimitedField(ILcom/google/protobuf/ByteString;)Lcom/google/protobuf/UnknownFieldSet$Builder;
JVMVulnerable params: 0
com/google/protobuf/UnknownFieldSet$Builder.mergeVarintField(II)Lcom/google/protobuf/UnknownFieldSet$Builder;
JVMVulnerable params: 0
Affected Ecosystems: affected
Source: National Vulnerability Database
References: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67PROJECT

CVE-2021-22569 Security Details

CVE ID: CVE-2021-22569
CWE: CWE-696
NVD-CWE-noinfo
CVE Description: An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
Published: Jan 10, 2022
CVSS Score & Severity: 5.5Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Score: 0.268%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: com/google/protobuf/UnknownFieldSet$Builder.addField(ILcom/google/protobuf/UnknownFieldSet$Field;)Lcom/google/protobuf/UnknownFieldSet$Builder;
JVMVulnerable params: 0
com/google/protobuf/UnknownFieldSet$Builder.clearField(I)Lcom/google/protobuf/UnknownFieldSet$Builder;
JVMVulnerable params: 0
com/google/protobuf/UnknownFieldSet$Builder.clone()Ljava/lang/Object;
JVM
com/google/protobuf/UnknownFieldSet$Builder.hasField(I)Z
JVMVulnerable params: 0
com/google/protobuf/UnknownFieldSet$Builder.mergeField(ILcom/google/protobuf/UnknownFieldSet$Field;)Lcom/google/protobuf/UnknownFieldSet$Builder;
JVMVulnerable params: 0
com/google/protobuf/UnknownFieldSet$Builder.mergeLengthDelimitedField(ILcom/google/protobuf/ByteString;)Lcom/google/protobuf/UnknownFieldSet$Builder;
JVMVulnerable params: 0
com/google/protobuf/UnknownFieldSet$Builder.mergeVarintField(II)Lcom/google/protobuf/UnknownFieldSet$Builder;
JVMVulnerable params: 0
Affected Ecosystems: affected
Source: National Vulnerability Database
References: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67PROJECT

Find vulnerabilities. Fix fast with AI.

CVE-2021-22569

CVE-2021-22569 Security Details

CVE-2021-22569 Security Details