Vulnerability in Google Llc Google-protobuf [Jruby Gem]
CVE-2021-22569
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numb…
EPSS: 0.005 (65.0th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Affected products
- Google Llc Google-protobuf [Jruby Gem] — versions unspecified
- Google Llc Protobuf-java — versions unspecified
- Google Llc Protobuf-kotlin — versions unspecified
Weakness classification (CWE)
Public proof-of-concept exploits
References
- bugs.chromium.org/p/oss-fuzz/issues/detail
- cloud.google.com/support/bulletins
- [oss-security] 20220112 CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS (mailing-list)
- [oss-security] 20220112 Re: CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS (mailing-list)
- www.oracle.com/security-alerts/cpuapr2022.html
- [debian-lts-announce] 20230418 [SECURITY] [DLA 3393-1] protobuf security update (mailing-list)
Frequently asked questions
- What is CVE-2021-22569?
- CVE-2021-22569 is a high-severity vulnerability in Google Llc Google-protobuf [Jruby Gem], classified under CWE-696. CVSS score: 7.5/10. Published 2022-01-07.
- How severe is CVE-2021-22569?
- High severity. CVSS v3 base score is 7.5 out of 10.
- Is CVE-2021-22569 known to be exploited?
- 16 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.