CVE-2022-1941
Improper Restriction of Operations within the Bounds of a Memory Buffer in pypi/protobuf
CVE-2022-1941, GHSA-8gq9-2x98-w8hf
pypi/protobuf
Improper Restriction of Operations within the Bounds of a Memory Buffer
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
All versions before 3.18.3, all versions starting from 3.19.0 before 3.19.5, all versions starting from 3.20.0 before 3.20.2, all versions starting from 4.0.0 before 4.21.6
Upgrade to versions 3.18.3, 3.19.5, 3.20.2, 4.21.6 or above.
2022-09-27
| source |