CVE-2022-3509 @ Maven-com.google.protobuf:protobuf-java-3.11.4 #17
Comments
oscardatastream
added
project:oscardatastream/slackDatastream
SCA
and removed
CxSCA
labels
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about CVE-2022-3509
Checkmarx Project: oscardatastream/slackDatastream
Repository URL: https://github.com/oscardatastream/slackDatastream
Branch: master
Scan ID: c523472e-01c3-4305-b7dd-e80238456bde
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.16.3, 3.17.x prior to 3.19.6, 3.20.x prior to 3.20.3, 3.21.x prior to 3.21.7, and 4.0.0-rc-1, 4.0.0-rc-2 lead to a Denial of Service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields cause objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: NONE
Availability impact: HIGH
Remediation Upgrade Recommendation: 3.16.3
The text was updated successfully, but these errors were encountered: