CVE-2024-7254

2024-09-1901:15:10

Debian Security Bug Tracker

security-tracker.debian.org

protocol buffers

stackoverflow

nested groups

sgroup tags

untrusted data

parser

attacker

vulnerability

recursion

CVSS4

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/SC:N/VI:N/SI:N/VA:H/SA:N

AI Score

7.5

Confidence

Low

JSON

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

OSVersionArchitecturePackageVersionFilename
Debian12allprotobuf<= 3.21.12-3protobuf_3.21.12-3_all.deb
Debian11allprotobuf<= 3.12.4-1+deb11u1protobuf_3.12.4-1+deb11u1_all.deb
Debian999allprotobuf<= 3.21.12-9protobuf_3.21.12-9_all.deb
Debian13allprotobuf<= 3.21.12-9protobuf_3.21.12-9_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	protobuf	<= 3.21.12-3	protobuf_3.21.12-3_all.deb
Debian	11	all	protobuf	<= 3.12.4-1+deb11u1	protobuf_3.12.4-1+deb11u1_all.deb
Debian	999	all	protobuf	<= 3.21.12-9	protobuf_3.21.12-9_all.deb
Debian	13	all	protobuf	<= 3.21.12-9	protobuf_3.21.12-9_all.deb