CVE-2022-1941

Name of the Vulnerable Software and Affected Versions ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python

Description A parsing vulnerability for the MessageSet type in ProtocolBuffers can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. This issue can be triggered by a small malicious payload, causing the running service to allocate more than 3GB of RAM.

Recommendations For versions prior to 3.18.3, upgrade to version 3.18.3 or later for both protobuf-cpp and protobuf-python. For versions prior to 3.19.5, upgrade to version 3.19.5 or later for both protobuf-cpp and protobuf-python. For versions prior to 3.20.2, upgrade to version 3.20.2 or later for both protobuf-cpp and protobuf-python. For versions prior to 3.21.6, upgrade to version 3.21.6 or later for protobuf-cpp. For versions prior to 4.21.6, upgrade to version 4.21.6 or later for protobuf-python. As a temporary workaround, consider restricting the use of the MessageSet type in ProtocolBuffers until a patch is available.