<p>Upgrade <code>Ubuntu:22.10</code> <code>protobuf</code> to version 3.12.4-1ubuntu7.22.10.1 or higher.</p>

CVE-2022-1941 Affecting protobuf package, versions <3.12.4-1ubuntu7.22.10.1

Threat Intelligence

0.21% (60^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-UBUNTU2210-PROTOBUF-3066016
published 27 Sep 2022
disclosed 22 Sep 2022

Report a new vulnerability Found a mistake?

Introduced: 22 Sep 2022

CVE-2022-1941 Open this link in a new tab

How to fix?

Upgrade Ubuntu:22.10 protobuf to version 3.12.4-1ubuntu7.22.10.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream protobuf package and not the protobuf package as distributed by Ubuntu. See How to fix? for Ubuntu:22.10 relevant fixed versions and status.

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

None
Integrity (I)

None
Availability (A)

High

CVE-2022-1941 Affecting protobuf package, versions <3.12.4-1ubuntu7.22.10.1

Severity

Based on Ubuntu security rating