PoC-in-GitHub/2021/CVE-2021-22569.json

[
    {
        "id": 447451610,
        "name": "A-potential-Denial-of-Service-issue-in-protobuf-java",
        "full_name": "Mario-Kart-Felix\/A-potential-Denial-of-Service-issue-in-protobuf-java",
        "owner": {
            "login": "Mario-Kart-Felix",
            "id": 76971465,
            "avatar_url": "https:\/\/avatars.githubusercontent.com\/u\/76971465?v=4",
            "html_url": "https:\/\/github.com\/Mario-Kart-Felix",
            "user_view_type": "public"
        },
        "html_url": "https:\/\/github.com\/Mario-Kart-Felix\/A-potential-Denial-of-Service-issue-in-protobuf-java",
        "description": "A potential Denial of Service issue in protobuf-java high severity GitHub Reviewed Published 5 days ago in protocolbuffers\/protobuf • Updated yesterday Vulnerability details Dependabot alerts 2 Package  com.google.protobuf:protobuf-java (maven) Affected versions < 3.16.1 >= 3.18.0, < 3.18.2 >= 3.19.0, < 3.19.2 Patched versions 3.16.1 3.18.2 3.19.2 Package  com.google.protobuf:protobuf-kotlin (maven) Affected versions >= 3.18.0, < 3.18.2 >= 3.19.0, < 3.19.2 Patched versions 3.18.2 3.19.2 Package  google-protobuf (RubyGems) Affected versions < 3.19.2 Patched versions 3.19.2 Description Summary A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data.  Reporter: OSS-Fuzz  Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf \"javalite\" users (typically Android) are not affected.  Severity CVE-2021-22569 High - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.  Proof of Concept For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness.  Remediation and Mitigation Please update to the latest available versions of the following packages:  protobuf-java (3.16.1, 3.18.2, 3.19.2) protobuf-kotlin (3.18.2, 3.19.2) google-protobuf [JRuby gem only] (3.19.2) References GHSA-wrvw-hg22-4m67 https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-22569 https:\/\/bugs.chromium.org\/p\/oss-fuzz\/issues\/detail?id=39330 https:\/\/cloud.google.com\/support\/bulletins#gcp-2022-001",
        "fork": false,
        "created_at": "2022-01-13T03:33:54Z",
        "updated_at": "2022-02-17T18:43:41Z",
        "pushed_at": "2022-02-17T18:41:51Z",
        "stargazers_count": 0,
        "watchers_count": 0,
        "has_discussions": false,
        "forks_count": 2,
        "allow_forking": true,
        "is_template": false,
        "web_commit_signoff_required": false,
        "topics": [],
        "visibility": "public",
        "forks": 2,
        "watchers": 0,
        "score": 0,
        "subscribers_count": 2
    }
]
Auto Update 2024/11/28 18:31:51 2024-11-28 19:31:51 +01:00			`[`
			`{`
			`"id": 447451610,`
			`"name": "A-potential-Denial-of-Service-issue-in-protobuf-java",`
			`"full_name": "Mario-Kart-Felix\/A-potential-Denial-of-Service-issue-in-protobuf-java",`
			`"owner": {`
			`"login": "Mario-Kart-Felix",`
			`"id": 76971465,`
			`"avatar_url": "https:\/\/avatars.githubusercontent.com\/u\/76971465?v=4",`
			`"html_url": "https:\/\/github.com\/Mario-Kart-Felix",`
			`"user_view_type": "public"`
			`},`
			`"html_url": "https:\/\/github.com\/Mario-Kart-Felix\/A-potential-Denial-of-Service-issue-in-protobuf-java",`
			"description": "A potential Denial of Service issue in protobuf-java high severity GitHub Reviewed Published 5 days ago in protocolbuffers\/protobuf • Updated yesterday Vulnerability details Dependabot alerts 2 Package com.google.protobuf:protobuf-java (maven) Affected versions < 3.16.1 >= 3.18.0, < 3.18.2 >= 3.19.0, < 3.19.2 Patched versions 3.16.1 3.18.2 3.19.2 Package com.google.protobuf:protobuf-kotlin (maven) Affected versions >= 3.18.0, < 3.18.2 >= 3.19.0, < 3.19.2 Patched versions 3.18.2 3.19.2 Package google-protobuf (RubyGems) Affected versions < 3.19.2 Patched versions 3.19.2 Description Summary A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data. Reporter: OSS-Fuzz Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf \"javalite\" users (typically Android) are not affected. Severity CVE-2021-22569 High - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses. Proof of Concept For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness. Remediation and Mitigation Please update to the latest available versions of the following packages: protobuf-java (3.16.1, 3.18.2, 3.19.2) protobuf-kotlin (3.18.2, 3.19.2) google-protobuf [JRuby gem only] (3.19.2) References GHSA-wrvw-hg22-4m67 https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-22569 https:\/\/bugs.chromium.org\/p\/oss-fuzz\/issues\/detail?id=39330 https:\/\/cloud.google.com\/support\/bulletins#gcp-2022-001",
			`"fork": false,`
			`"created_at": "2022-01-13T03:33:54Z",`
			`"updated_at": "2022-02-17T18:43:41Z",`
			`"pushed_at": "2022-02-17T18:41:51Z",`
			`"stargazers_count": 0,`
			`"watchers_count": 0,`
			`"has_discussions": false,`
			`"forks_count": 2,`
			`"allow_forking": true,`
			`"is_template": false,`
			`"web_commit_signoff_required": false,`
			`"topics": [],`
			`"visibility": "public",`
			`"forks": 2,`
			`"watchers": 0,`
			`"score": 0,`
			`"subscribers_count": 2`
			`}`
			`]`