[MAVEN:GHSA-77RM-9X9H-XJ3G] NULL Pointer Dereference in Protocol Buffers

Severity High

Affected Packages 5

Fixed Packages 5

CVEs 1

Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.

Package	Affected Version
pkg:maven/protobuf	< 3.15.0
pkg:maven/google/protobuf	< 3.15.0
pkg:maven/Google.Protobuf	< 3.15.0
pkg:maven/github.com/protocolbuffers/protobuf	< 3.15.0
pkg:maven/com.google.protobuf/protobuf-java	< 3.15.0

Package	Fixed Version
pkg:maven/protobuf	= 3.15.0
pkg:maven/google/protobuf	= 3.15.0
pkg:maven/Google.Protobuf	= 3.15.0
pkg:maven/github.com/protocolbuffers/protobuf	= 3.15.0
pkg:maven/com.google.protobuf/protobuf-java	= 3.15.0

ID

MAVEN:GHSA-77RM-9X9H-XJ3G

Severity

high

URL

https://github.com/advisories/GHSA-77rm-9x9h-xj3g

Published

2022-01-27T00:01:15
(2 years ago)

Modified

2023-08-16T05:02:15
(13 months ago)

Rights

Maven Security Team

Other Advisories

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2021-22570
			https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0
			https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFX6KPNOFHYD6L4XES5PCM3QNSKZBOTQ/
			https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DVUZPALAQ34TQP6KFNLM4IZS6B32XSA/
			https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTRGBRC5KGCA4SK5MUNLPYJRAGXMBIYY/
			https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NVTWVQRB5OCCTMKEQFY5MYED3DXDVSLP/
			https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X/
			https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQJB6ZPRLKV6WCMX2PRRRQBFAOXFBK6B/
			https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE/
			https://www.oracle.com/security-alerts/cpuapr2022.html
			https://security.netapp.com/advisory/ntap-20220429-0005/
			https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
			https://github.com/advisories/GHSA-77rm-9x9h-xj3g

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/protobuf		protobuf	< 3.15.0
Fixed	pkg:maven/protobuf		protobuf	= 3.15.0
Affected	pkg:maven/google/protobuf	google	protobuf	< 3.15.0
Fixed	pkg:maven/google/protobuf	google	protobuf	= 3.15.0
Affected	pkg:maven/Google.Protobuf		Google.Protobuf	< 3.15.0
Fixed	pkg:maven/Google.Protobuf		Google.Protobuf	= 3.15.0
Affected	pkg:maven/github.com/protocolbuffers/protobuf	github.com/protocolbuffers	protobuf	< 3.15.0
Fixed	pkg:maven/github.com/protocolbuffers/protobuf	github.com/protocolbuffers	protobuf	= 3.15.0
Affected	pkg:maven/com.google.protobuf/protobuf-java	com.google.protobuf	protobuf-java	< 3.15.0
Fixed	pkg:maven/com.google.protobuf/protobuf-java	com.google.protobuf	protobuf-java	= 3.15.0

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date