Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2022-1941

HIGH
Published 2022-09-22T00:00:00
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2022-1941. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
7.5
/10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.001
probability
of exploitation in the wild

There is a 0.1% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.311
Higher than 31.1% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED

Impact Metrics

Confidentiality
NONE
Integrity
NONE
Availability
HIGH

Description

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Google LLC

protobuf-cpp

Affected Versions:

unspecified unspecified unspecified unspecified unspecified unspecified
Google LLC

protobuf-python

Affected Versions:

unspecified unspecified unspecified unspecified unspecified unspecified
google

protobuf-cpp

Affected Versions:

0 3.19.0 3.20.0 3.21.0
google

protobuf-python

Affected Versions:

0 3.19.0 3.20.0 4.0.0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

protobuf-cpp and protobuf-python have potential Denial of Service issue

GHSA-8gq9-2x98-w8hf

Advisory Details

### Summary A message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message, which could lead to a denial of service (DoS) on services using the libraries. Reporter: [ClusterFuzz](https://google.github.io/clusterfuzz/) Affected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below. ### Severity & Impact As scored by google **Medium 5.7** - [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Asscored byt NIST **High 7.5** - [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) A small (~500 KB) malicious payload can be constructed which causes the running service to allocate more than 3GB of RAM. ### Proof of Concept For reproduction details, please refer to the unit test that identifies the specific inputs that exercise this parsing weakness. ### Mitigation / Patching Please update to the latest available versions of the following packages: - protobuf-cpp (3.18.3, 3.19.5, 3.20.2, 3.21.6) - protobuf-python (3.18.3, 3.19.5, 3.20.2, 4.21.6)

Affected Packages

PyPI protobuf
ECOSYSTEM: ≥0 <3.18.3
PyPI protobuf
ECOSYSTEM: ≥3.19.0 <3.19.5
PyPI protobuf
ECOSYSTEM: ≥3.20.0 <3.20.2
PyPI protobuf
ECOSYSTEM: ≥4.0.0 <4.21.6

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

WEB https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-1941
WEB https://cloud.google.com/support/bulletins#GCP-2022-019
PACKAGE https://github.com/protocolbuffers/protobuf
WEB https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3
WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP
WEB https://security.netapp.com/advisory/ntap-20240705-0001
WEB http://www.openwall.com/lists/oss-security/2022/09/27/1

Advisory provided by GitHub Security Advisory Database. Published: September 23, 2022, Modified: July 5, 2024

References

https://cloud.google.com/support/bulletins#GCP-2022-019
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
http://www.openwall.com/lists/oss-security/2022/09/27/1
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/
https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/
https://security.netapp.com/advisory/ntap-20240705-0001/
Published: 2022-09-22T00:00:00
Last Modified: 2024-08-03T00:24:42.594Z
Copied to clipboard!