Search CVE reports
1 – 10 of 19 results
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object...
1 affected package
protobuf
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| protobuf | Not affected | Not affected | Not affected | Not affected | Not affected |
A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to...
1 affected package
protobuf
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| protobuf | Vulnerable | Vulnerable | Vulnerable | Vulnerable | Vulnerable |
Some fixes available 4 of 6
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion...
1 affected package
protobuf
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| protobuf | Fixed | Fixed | Fixed | Vulnerable | Vulnerable |
The protobuf crate before 3.7.2 for Rust allows uncontrolled recursion in the protobuf::coded_input_stream::CodedInputStream::skip_group parsing of unknown fields in untrusted input.
1 affected package
rust-protobuf
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| rust-protobuf | Needs evaluation | Needs evaluation | Needs evaluation | — | — |
Some fixes available 6 of 8
Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python...
1 affected package
protobuf
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| protobuf | — | Fixed | Fixed | Fixed | Fixed |
Some fixes available 7 of 8
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields...
1 affected package
protobuf
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| protobuf | — | Fixed | Fixed | Fixed | Fixed |
The JsonToBinaryStream() function is part of the protocol buffers C++ implementation and is used to parse JSON from a stream. If the input is broken up into separate chunks in a certain way, the parser will attempt to read bytes...
1 affected package
protobuf
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| protobuf | — | Not affected | Not affected | Not affected | Not affected |
Some fixes available 15 of 22
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the...
3 affected packages
golang-google-protobuf, google-osconfig-agent, google-guest-agent
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| golang-google-protobuf | Needs evaluation | Needs evaluation | Needs evaluation | Not in release | — |
| google-osconfig-agent | Fixed | Fixed | Fixed | Ignored | Ignored |
| google-guest-agent | Fixed | Fixed | Fixed | Fixed | Not affected |
Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.
4 affected packages
golang-github-golang-protobuf-1-3, golang-goprotobuf, golang-github-golang-protobuf-1-5, google-guest-agent
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| golang-github-golang-protobuf-1-3 | Not in release | Needs evaluation | Not in release | Not in release | Ignored |
| golang-goprotobuf | Not in release | Not in release | Needs evaluation | Ignored | Ignored |
| golang-github-golang-protobuf-1-5 | Needs evaluation | Needs evaluation | Not in release | Not in release | Ignored |
| google-guest-agent | Not affected | Not affected | Not affected | Not affected | Not affected |
protobuf-c before 1.4.1 has an unsigned integer overflow in parse_required_member.
1 affected package
protobuf-c
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| protobuf-c | Not affected | Not affected | Needs evaluation | Ignored | Ignored |