Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2022-3510
Good to know:
Date: November 11, 2022
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Language: Java
Severity Score
Related Resources (5)
Severity Score
Weakness Type (CWE)
Uncontrolled Resource Consumption
CWE-400Insufficient Information
NVD-CWE-noinfoTop Fix
Upgrade Version
Upgrade to version com.google.protobuf:protobuf-java:3.16.3;com.google.protobuf:protobuf-java:3.19.6;com.google.protobuf:protobuf-java:3.20.3;com.google.protobuf:protobuf-java:3.21.7;com.google.protobuf:protobuf-java:3.16.3;com.google.protobuf:protobuf-javalite:3.16.3;com.google.protobuf:protobuf-javalite:3.19.6;com.google.protobuf:protobuf-javalite:3.20.3;com.google.protobuf:protobuf-javalite:3.21.7;com.google.protobuf:protobuf-javalite:3.21.7;com.google.protobuf:protobuf-javalite:3.16.3;https://github.com/protocolbuffers/protobuf.git - 3.16.3;https://github.com/protocolbuffers/protobuf.git - v3.19.6;https://github.com/protocolbuffers/protobuf.git - v3.20.3;https://github.com/protocolbuffers/protobuf.git - v3.21.7
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | NONE |
| Integrity (I): | NONE |
| Availability (A): | HIGH |