Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-javalite/3.21.1/fd4b3a77714f62880d83d1943785cb95b039bc82/protobuf-javalite-3.21.1.pom,/odules-2/files-2.1/com.google.protobuf/protobuf-javalite/3.21.1/fd4b3a77714f62880d83d1943785cb95b039bc82/protobuf-javalite-3.21.1.pom,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-javalite/3.21.1/fd4b3a77714f62880d83d1943785cb95b039bc82/protobuf-javalite-3.21.1.pom
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
CVE-2022-3171 - High Severity Vulnerability
Vulnerable Library - protobuf-javalite-3.21.1.jar
Lite version of Protocol Buffers library. This version is optimized for code size, but does not guarantee API/ABI stability.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /common19/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-javalite/3.21.1/fd4b3a77714f62880d83d1943785cb95b039bc82/protobuf-javalite-3.21.1.pom,/odules-2/files-2.1/com.google.protobuf/protobuf-javalite/3.21.1/fd4b3a77714f62880d83d1943785cb95b039bc82/protobuf-javalite-3.21.1.pom,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-javalite/3.21.1/fd4b3a77714f62880d83d1943785cb95b039bc82/protobuf-javalite-3.21.1.pom
Dependency Hierarchy: - :x: **protobuf-javalite-3.21.1.jar** (Vulnerable Library)
Found in HEAD commit: dba08ada652038fad929252d54b0519280e41690
Found in base branch: master
Vulnerability Details
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-10-12
URL: CVE-2022-3171
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
Release Date: 2022-10-12
Fix Resolution: 3.21.7
Step up your Open Source Security Game with Mend here