CVE-2024-7254: protobuf-java has potential Denial of Service issue
(updated )
When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.
Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team ecosystem@trailofbits.com
Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.
References
- github.com/advisories/GHSA-735f-pc8j-v9w8
- github.com/protocolbuffers/protobuf
- github.com/protocolbuffers/protobuf/commit/4728531c162f2f9e8c2ca1add713cfee2db6be3b
- github.com/protocolbuffers/protobuf/commit/850fcce9176e2c9070614dab53537760498c926b
- github.com/protocolbuffers/protobuf/commit/9a5f5fe752a20cbac2e722b06949ac985abdd534
- github.com/protocolbuffers/protobuf/commit/ac9fb5b4c71b0dd80985b27684e265d1f03abf46
- github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa
- github.com/protocolbuffers/protobuf/commit/d6c82fc55a76481c676f541a255571e8950bb8c3
- github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8
- github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2024-7254.yml
- nvd.nist.gov/vuln/detail/CVE-2024-7254
Detect and mitigate CVE-2024-7254 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →