Vulnerability in google-protobuf
A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data.
Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf “javalite” users (typically Android) are not affected.
High - An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.
For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness.
Please update to the latest available versions of the following packages:
|Access Vector||Access Complexity||Authentication||Confidentiality Impact||Integrity Impact||Availability Impact|