CVE-2022-3171

ADVISORY - github

Summary

A potential Denial of Service issue in protobuf-java core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.

Reporter: OSS Fuzz

Affected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.

Severity

CVE-2022-3171 Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)

Remediation and Mitigation

Please update to the latest available versions of the following packages:

protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3) google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)

EPSS Score⁠: 0.00083 (0.243)

Common Weakness Enumeration (CWE)

ADVISORY - nist

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

CVE-2022-3171

Summary

Summary

Severity

Remediation and Mitigation

Common Weakness Enumeration (CWE)

CWE-20⁠

CWE-20⁠

CWE-1035⁠

CWE-937⁠

CWE-1035⁠

CWE-707⁠

CWE-937⁠

CWE-1035⁠

CWE-707⁠

CWE-937⁠

CWE-1035⁠

CWE-707⁠

CWE-937⁠

CWE-1035⁠

CWE-707⁠

CWE-937⁠

CWE-1035⁠

CWE-707⁠

CWE-937⁠

CWE-20⁠

Impacted images

Sign in to Docker Scout