An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| com.google.protobuf:protobuf-java(Maven) | 0 | 3.16.1 | N/A |
| google-protobuf(RubyGems) | 0 | 3.19.2 | N/A |
| com.google.protobuf:protobuf-java(Maven) | 3.18.0 | 3.18.2 | N/A |
| com.google.protobuf:protobuf-java(Maven) | 3.19.0 | 3.19.2 | N/A |
| com.google.protobuf:protobuf-kotlin(Maven) | 3.18.0 | 3.18.2 | N/A |
| com.google.protobuf:protobuf-kotlin(Maven) | 3.19.0 | 3.19.2 | N/A |
CVSS Metrics
