cve/2022/CVE-2022-1941.md

### [CVE-2022-1941](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1941)
![](https://img.shields.io/static/v1?label=Product&message=protobuf-cpp&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=protobuf-python&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%3D%203.16.1%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-1286%3A%20Improper%20Validation%20of%20Syntactic%20Correctness%20of%20Input&color=brighgreen)

### Description

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

### POC

#### Reference
- http://www.openwall.com/lists/oss-security/2022/09/27/1
- https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/MikeHorn-git/docker-forensic-toolbox
- https://github.com/sysdiglabs/charts
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2022-1941](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1941)`
			`![](https://img.shields.io/static/v1?label=Product&message=protobuf-cpp&color=blue)`
			`![](https://img.shields.io/static/v1?label=Product&message=protobuf-python&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=%3C%3D%203.16.1%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-1286%3A%20Improper%20Validation%20of%20Syntactic%20Correctness%20of%20Input&color=brighgreen)`

			`### Description`

			A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

			`### POC`

			`#### Reference`
			`- http://www.openwall.com/lists/oss-security/2022/09/27/1`
			`- https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf`

			`#### Github`
			`- https://github.com/ARPSyndicate/cvemon`
			`- https://github.com/MikeHorn-git/docker-forensic-toolbox`
			`- https://github.com/sysdiglabs/charts`