CVE-2022-3510

CVSS v3.1 7.5 (High)

EPSS 0.08 % (34^th)

Affected Products 2

Advisories 2

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Weaknesses

CWE-NVD-noinfo

Related CVEs

CVE-2022-3171

CVE Status: PUBLISHED
CNA: Google Inc.
Published Date: 2022-12-12 13:15:14
(21 months ago)
Updated Date: 2023-11-07 03:51:20
(10 months ago)

Affected Products

Google

Configuration #1

	CPE23	From	Up To
Google Protobuf-java from 3.16.0 version and prior 3.16.3 version	cpe:2.3:a:google:protobuf-java	>= 3.16.0	< 3.16.3
Google Protobuf-java from 3.19.0 version and prior 3.19.6 version	cpe:2.3:a:google:protobuf-java	>= 3.19.0	< 3.19.6
Google Protobuf-java from 3.20.0 version and prior 3.20.3 version	cpe:2.3:a:google:protobuf-java	>= 3.20.0	< 3.20.3
Google Protobuf-java from 3.21.0 version and prior 3.21.7 version	cpe:2.3:a:google:protobuf-java	>= 3.21.0	< 3.21.7
Google Protobuf-javalite from 3.16.0 version and prior 3.16.3 version	cpe:2.3:a:google:protobuf-javalite	>= 3.16.0	< 3.16.3
Google Protobuf-javalite from 3.17.0 version and prior 3.19.6 version	cpe:2.3:a:google:protobuf-javalite	>= 3.17.0	< 3.19.6
Google Protobuf-javalite from 3.20.0 version and prior 3.20.3 version	cpe:2.3:a:google:protobuf-javalite	>= 3.20.0	< 3.20.3
Google Protobuf-javalite from 3.21.0 version and prior 3.21.7 version	cpe:2.3:a:google:protobuf-javalite	>= 3.21.0	< 3.21.7