CVE-2021-22569

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Published: Jan 10, 2022
Updated: May 9, 2024
CVE: CVE-2021-22569
GHSA: GHSA-wrvw-hg22-4m67
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.5
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P

CWEs:

CWE-696

Affected Software
References

Software	From	Fixed in
google / protobuf-kotlin	3.19.0	3.19.2
google / protobuf-kotlin	-	3.18.2
google / protobuf-java	-	3.16.1
google / protobuf-java	3.18.0	3.18.2
google / protobuf-java	3.19.0	3.19.2
google / google-protobuf	-	3.19.2
oracle / communications_cloud_native_core_console	1.9.0	1.9.0.x
oracle / communications_cloud_native_core_policy	1.15.0	1.15.0.x
oracle / communications_cloud_native_core_network_repository_function	1.15.0	1.15.0.x
oracle / communications_cloud_native_core_network_repository_function	1.15.1	1.15.1.x
oracle / spatial_and_graph_mapviewer	21c	21c.x
oracle / spatial_and_graph_mapviewer	19c	19c.x
com.google.protobuf / protobuf-java	-	3.16.1
google-protobuf	-	3.19.2
com.google.protobuf / protobuf-java	3.18.0	3.18.2
com.google.protobuf / protobuf-java	3.19.0	3.19.2
com.google.protobuf / protobuf-kotlin	3.18.0	3.18.2
com.google.protobuf / protobuf-kotlin	3.19.0	3.19.2

Vulnerability Database

CVE-2021-22569

Deep Security Visibility Without the Complexity