Java Protobuf: StackOverflow via Untrusted Nested SGROUP Tags
CVE-2024-7254 Published on September 19, 2024
Stack overflow in Protocol Buffers Java Lite
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
Weakness Types
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2024-7254 has been classified to as a Resource Exhaustion vulnerability or weakness.
What is a Stack Exhaustion Vulnerability?
The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.
CVE-2024-7254 has been classified to as a Stack Exhaustion vulnerability or weakness.
Products Associated with CVE-2024-7254
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-7254 are published in these products:
Affected Versions
Google Protocol Buffers:- Before 28.2 is affected.
- Before 3.25.5 is affected.
- Before 4.27.5 is affected.
- Before 4.28.2 is affected.
- Before 3.25.5 is affected.
- Before 4.27.5 is affected.
- Before 4.28.2 is affected.
- Before 3.25.5 is affected.
- Before 4.27.5 is affected.
- Before 4.28.2 is affected.
- Before 3.25.5 is affected.
- Before 4.27.5 is affected.
- Before 4.28.2 is affected.
- Before 3.25.5 is affected.
- Before 4.27.5 is affected.
- Before 4.28.2 is affected.
- Before 28.2 is affected.
- Before 3.25.5 is affected.
- Version 4.27 and below 4.27.5 is affected.
- Version 4.28 and below 4.28.2 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2024-7254
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | com.google.protobuf:protobuf-java | >= 4.28.0.rc.1, < 4.28.2 | 4.28.2 |
| maven | com.google.protobuf:protobuf-java | >= 4.0.0.rc.1, < 4.27.5 | 4.27.5 |
| maven | com.google.protobuf:protobuf-javalite | >= 4.28.0.rc.1, < 4.28.2 | 4.28.2 |
| maven | com.google.protobuf:protobuf-javalite | >= 4.0.0.rc.1, < 4.27.5 | 4.27.5 |
| maven | com.google.protobuf:protobuf-kotlin | >= 4.28.0.rc.1, < 4.28.2 | 4.28.2 |
| maven | com.google.protobuf:protobuf-kotlin | >= 4.0.0.rc.1, < 4.27.5 | 4.27.5 |
| maven | com.google.protobuf:protobuf-kotlin-lite | >= 4.28.0.rc.1, < 4.28.2 | 4.28.2 |
| maven | com.google.protobuf:protobuf-kotlin-lite | >= 4.0.0.rc.1, < 4.27.5 | 4.27.5 |
| maven | com.google.protobuf:protobuf-kotlin-lite | < 3.25.5 | 3.25.5 |
| maven | com.google.protobuf:protobuf-kotlin | < 3.25.5 | 3.25.5 |
| maven | com.google.protobuf:protobuf-javalite | < 3.25.5 | 3.25.5 |
| maven | com.google.protobuf:protobuf-java | < 3.25.5 | 3.25.5 |
| rubygems | google-protobuf | >= 4.28.0.rc.1, < 4.28.2 | 4.28.2 |
| rubygems | google-protobuf | >= 4.0.0.rc.1, < 4.27.5 | 4.27.5 |
| rubygems | google-protobuf | < 3.25.5 | 3.25.5 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.