CVE-2024-7254 - Vulnerability Details

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Google	Google-protobuf Protobuf Protobuf-java Protobuf-javalite Protobuf-kotlin Protobuf-kotlin-lite
Redhat	Amq Streams Camel Quarkus Quarkus Trusted Profile Analyzer

No data.

Package	CPE	Advisory	Released Date
Red Hat build of Apache Camel 4 for Quarkus 3
com.google.protobuf/protobuf-java	cpe:/a:redhat:camel_quarkus:3.8	RHSA-2024:7972	2024-10-10T00:00:00Z
Red Hat build of Quarkus 3.2
com.google.protobuf/protobuf	cpe:/a:redhat:quarkus:3.2::el8	RHSA-2024:7676	2024-10-10T00:00:00Z
Red Hat build of Quarkus 3.8
com.google.protobuf/protobuf	cpe:/a:redhat:quarkus:3.8::el8	RHSA-2024:7670	2024-10-10T00:00:00Z
Streams for Apache Kafka 2.8.0
	cpe:/a:redhat:amq_streams:2	RHSA-2024:9571	2024-11-13T00:00:00Z
Red Hat Trusted Profile Analyzer 1.2
registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe	cpe:/a:redhat:trusted_profile_analyzer:1.2::el9	RHSA-2024:11255	2024-12-17T00:00:00Z
registry.redhat.io/rhtpa/rhtpa-guac-rhel9:sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30	cpe:/a:redhat:trusted_profile_analyzer:1.2::el9	RHSA-2024:11256	2024-12-17T00:00:00Z

References

Link	Providers
https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa
https://nvd.nist.gov/vuln/detail/CVE-2024-7254
https://security.netapp.com/advisory/ntap-20241213-0010/
https://www.cve.org/CVERecord?id=CVE-2024-7254

History

Fri, 28 Mar 2025 15:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:quarkus:3.8::el8

Tue, 17 Dec 2024 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat trusted Profile Analyzer
CPEs		cpe:/a:redhat:trusted_profile_analyzer:1.2::el9
Vendors & Products		Redhat trusted Profile Analyzer

Fri, 13 Dec 2024 14:45:00 +0000

Type	Values Removed	Values Added
References		https://security.netapp.com/advisory/ntap-20241213-0010/

Thu, 05 Dec 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat quarkus
CPEs		cpe:/a:redhat:quarkus:3.2::el8
Vendors & Products		Redhat quarkus

Thu, 14 Nov 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat amq Streams
CPEs		cpe:/a:redhat:amq_streams:2
Vendors & Products		Redhat amq Streams

Fri, 11 Oct 2024 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat camel Quarkus
CPEs		cpe:/a:redhat:camel_quarkus:3.8
Vendors & Products		Redhat Redhat camel Quarkus

Thu, 19 Sep 2024 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google google-protobuf Google protobuf Google protobuf-java Google protobuf-javalite Google protobuf-kotlin Google protobuf-kotlin-lite
CPEs		cpe:2.3:a:google:google-protobuf::::::ruby::* cpe:2.3:a:google:protobuf-java:::::::: cpe:2.3:a:google:protobuf-javalite:::::::: cpe:2.3:a:google:protobuf-kotlin-lite:::::::: cpe:2.3:a:google:protobuf-kotlin:::::::: cpe:2.3:a:google:protobuf::::::::
Vendors & Products		Google Google google-protobuf Google protobuf Google protobuf-java Google protobuf-javalite Google protobuf-kotlin Google protobuf-kotlin-lite
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 19 Sep 2024 09:30:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2024-7254 https://www.cve.org/CVERecord?id=CVE-2024-7254
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Important`

Thu, 19 Sep 2024 00:30:00 +0000

Type	Values Removed	Values Added
Description		Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
Title		Stack overflow in Protocol Buffers Java Lite
Weaknesses		CWE-20
References		https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Google

Published: 2024-09-19T00:18:45.824Z

Updated: 2024-12-13T13:09:27.312Z

Reserved: 2024-07-29T21:41:56.116Z

Link: CVE-2024-7254

Vulnrichment

Updated: 2024-12-13T13:09:27.312Z

NVD

Status : Awaiting Analysis

Published: 2024-09-19T01:15:10.963

Modified: 2024-12-13T14:15:22.800

Link: CVE-2024-7254

Redhat

Severity : Important

Publid Date: 2024-09-19T01:15:10Z

Links: CVE-2024-7254 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7254", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2024-07-29T21:41:56.116Z", "datePublished": "2024-09-19T00:18:45.824Z", "dateUpdated": "2024-12-13T13:09:27.312Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Protocol Buffers", "repo": "https://github.com/protocolbuffers/protobuf", "vendor": "Google", "versions": [{"lessThan": "28.2", "status": "affected", "version": "0", "versionType": "custom"}]}, {"collectionURL": "https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java", "defaultStatus": "unaffected", "product": "protobuf-java", "vendor": "Google", "versions": [{"lessThan": "3.25.5", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "4.27.5", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "4.28.2", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "protobuf-javalite", "vendor": "Google", "versions": [{"lessThan": "3.25.5", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "4.27.5", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "4.28.2", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "protobuf-kotlin", "vendor": "Google", "versions": [{"lessThan": "3.25.5", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "4.27.5", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "4.28.2", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "protobuf-kotllin-lite", "vendor": "Google", "versions": [{"lessThan": "3.25.5", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "4.27.5", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "4.28.2", "status": "affected", "version": "0", "versionType": "custom"}]}, {"collectionURL": "https://rubygems.org/gems/google-protobuf", "defaultStatus": "unaffected", "product": "google-protobuf [JRuby Gem]", "vendor": "Google", "versions": [{"lessThan": "3.25.5", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "4.27.5", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "4.28.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Alexis Challande, Trail of Bits Ecosystem Security Team <ecosystem@trailofbits.com>"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested <code>group</code>s / series of <code>SGROUP</code> tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. "}], "value": "Any project that parses untrusted Protocol Buffers data\u00a0containing an arbitrary number of nested groups / series of SGROUP\u00a0tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker."}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2024-09-19T00:18:45.824Z"}, "references": [{"url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"}], "source": {"discovery": "UNKNOWN"}, "title": "Stack overflow in Protocol Buffers Java Lite", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "google", "product": "protobuf", "cpes": ["cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThan": "28.2", "versionType": "custom"}]}, {"vendor": "google", "product": "protobuf-kotlin-lite", "cpes": ["cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*", "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*", "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*", "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*", "cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThan": "3.25.5", "versionType": "custom"}, {"version": "4.27", "status": "affected", "lessThan": "4.27.5", "versionType": "custom"}, {"version": "4.28", "status": "affected", "lessThan": "4.28.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-19T14:29:43.468555Z", "id": "CVE-2024-7254", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T14:46:14.517Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20241213-0010/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-12-13T13:09:27.312Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20241213-0010/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-12-13T13:09:27.312Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7254", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-19T14:29:43.468555Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*"], "vendor": "google", "product": "protobuf", "versions": [{"status": "affected", "version": "0", "lessThan": "28.2", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*", "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*", "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*", "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*", "cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*"], "vendor": "google", "product": "protobuf-kotlin-lite", "versions": [{"status": "affected", "version": "0", "lessThan": "3.25.5", "versionType": "custom"}, {"status": "affected", "version": "4.27", "lessThan": "4.27.5", "versionType": "custom"}, {"status": "affected", "version": "4.28", "lessThan": "4.28.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T14:45:43.287Z"}}], "cna": {"title": "Stack overflow in Protocol Buffers Java Lite", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Alexis Challande, Trail of Bits Ecosystem Security Team <ecosystem@trailofbits.com>"}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/protocolbuffers/protobuf", "vendor": "Google", "product": "Protocol Buffers", "versions": [{"status": "affected", "version": "0", "lessThan": "28.2", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Google", "product": "protobuf-java", "versions": [{"status": "affected", "version": "0", "lessThan": "3.25.5", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "4.27.5", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "4.28.2", "versionType": "custom"}], "collectionURL": "https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java", "defaultStatus": "unaffected"}, {"vendor": "Google", "product": "protobuf-javalite", "versions": [{"status": "affected", "version": "0", "lessThan": "3.25.5", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "4.27.5", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "4.28.2", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Google", "product": "protobuf-kotlin", "versions": [{"status": "affected", "version": "0", "lessThan": "3.25.5", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "4.27.5", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "4.28.2", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Google", "product": "protobuf-kotllin-lite", "versions": [{"status": "affected", "version": "0", "lessThan": "3.25.5", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "4.27.5", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "4.28.2", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Google", "product": "google-protobuf [JRuby Gem]", "versions": [{"status": "affected", "version": "0", "lessThan": "3.25.5", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "4.27.5", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "4.28.2", "versionType": "custom"}], "collectionURL": "https://rubygems.org/gems/google-protobuf", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Any project that parses untrusted Protocol Buffers data\u00a0containing an arbitrary number of nested groups / series of SGROUP\u00a0tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.", "supportingMedia": [{"type": "text/html", "value": "Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested <code>group</code>s / series of <code>SGROUP</code> tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. ", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2024-09-19T00:18:45.824Z"}}}, "cveMetadata": {"cveId": "CVE-2024-7254", "state": "PUBLISHED", "dateUpdated": "2024-12-13T13:09:27.312Z", "dateReserved": "2024-07-29T21:41:56.116Z", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "datePublished": "2024-09-19T00:18:45.824Z", "assignerShortName": "Google"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Any project that parses untrusted Protocol Buffers data\u00a0containing an arbitrary number of nested groups / series of SGROUP\u00a0tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker."}, {"lang": "es", "value": "Cualquier proyecto que analice datos de Protocol Buffers no confiables que contengan una cantidad arbitraria de grupos anidados o series de etiquetas SGROUP puede corromperse si se excede el l\u00edmite de la pila, es decir, StackOverflow. Analizar grupos anidados como campos desconocidos con DiscardUnknownFieldsParser o el analizador Java Protobuf Lite, o contra campos de mapa Protobuf, crea recursiones ilimitadas que pueden ser utilizadas de forma abusiva por un atacante."}], "id": "CVE-2024-7254", "lastModified": "2024-12-13T14:15:22.800", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "NONE"}, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2024-09-19T01:15:10.963", "references": [{"source": "cve-coordination@google.com", "url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20241213-0010/"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:7972", "cpe": "cpe:/a:redhat:camel_quarkus:3.8", "package": "com.google.protobuf/protobuf-java", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3", "release_date": "2024-10-10T00:00:00Z"}, {"advisory": "RHSA-2024:7676", "cpe": "cpe:/a:redhat:quarkus:3.2::el8", "package": "com.google.protobuf/protobuf", "product_name": "Red Hat build of Quarkus 3.2", "release_date": "2024-10-10T00:00:00Z"}, {"advisory": "RHSA-2024:7670", "cpe": "cpe:/a:redhat:quarkus:3.8::el8", "package": "com.google.protobuf/protobuf", "product_name": "Red Hat build of Quarkus 3.8", "release_date": "2024-10-10T00:00:00Z"}, {"advisory": "RHSA-2024:9571", "cpe": "cpe:/a:redhat:amq_streams:2", "product_name": "Streams for Apache Kafka 2.8.0", "release_date": "2024-11-13T00:00:00Z"}, {"advisory": "RHSA-2024:11255", "cpe": "cpe:/a:redhat:trusted_profile_analyzer:1.2::el9", "impact": "low", "package": "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe", "product_name": "Red Hat Trusted Profile Analyzer 1.2", "release_date": "2024-12-17T00:00:00Z"}, {"advisory": "RHSA-2024:11256", "cpe": "cpe:/a:redhat:trusted_profile_analyzer:1.2::el9", "impact": "low", "package": "registry.redhat.io/rhtpa/rhtpa-guac-rhel9:sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30", "product_name": "Red Hat Trusted Profile Analyzer 1.2", "release_date": "2024-12-17T00:00:00Z"}], "bugzilla": {"description": "protobuf: StackOverflow vulnerability in Protocol Buffers", "id": "2313454", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313454"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["Any project that parses untrusted Protocol Buffers data\u00a0containing an arbitrary number of nested groups / series of SGROUP\u00a0tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.", "A flaw was found in Protocol Buffers (protobuf). This issue can allows an attacker to cause a StackOverflow via parsing untrusted Protocol Buffers data containing arbitrarily nested SGROUP tags, leading to unbounded recursion."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-7254", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Under investigation", "package_name": "com.google.protobuf/protobuf-java", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:cryostat:3", "fix_state": "Under investigation", "package_name": "com.google.protobuf/protobuf-java", "product_name": "Cryostat 3"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Under investigation", "package_name": "com.google.protobuf/protobuf-java", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Under investigation", "package_name": "com.google.protobuf/protobuf-java", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Under investigation", "package_name": "com.google.protobuf/protobuf-java", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Under investigation", "package_name": "com.google.protobuf/protobuf-java", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Under investigation", "package_name": "com.google.protobuf/protobuf-java", "product_name": "Red Hat build of Debezium 2"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Under investigation", "package_name": "com.google.protobuf/protobuf-java", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Under investigation", "package_name": "com.google.protobuf/protobuf-java", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "protobuf", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "protobuf", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "protobuf", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Will not fix", "package_name": "rhelai1/bootc-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Will not fix", "package_name": "rhelai1/instructlab-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Under investigation", "package_name": "com.google.protobuf/protobuf-java", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Under investigation", "package_name": "com.google.protobuf/protobuf-java", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Under investigation", "package_name": "com.google.protobuf/protobuf-java", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Under investigation", "package_name": "com.google.protobuf/protobuf-java", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Under investigation", "package_name": "com.google.protobuf/protobuf-java", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Under investigation", "package_name": "org.jboss.eap-jboss-eap-xp", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Under investigation", "package_name": "com.google.protobuf/protobuf-java", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Under investigation", "package_name": "org.jboss.eap-jboss-eap-xp", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Under investigation", "package_name": "com.google.protobuf/protobuf-java", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "protobuf", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Under investigation", "package_name": "com.google.protobuf/protobuf-java", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Under investigation", "package_name": "com.google.protobuf/protobuf-java", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Under investigation", "package_name": "com.google.protobuf/protobuf-java", "product_name": "streams for Apache Kafka"}], "public_date": "2024-09-19T01:15:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-7254\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-7254\nhttps://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"], "statement": "This issue represents a significant severity risk because unbounded recursion in Protocol Buffers parsing can be exploited to trigger stack overflows, leading to Denial of Service (DoS). When parsers, such as `DiscardUnknownFieldsParser` or the Java Protobuf Lite parser, encounter arbitrarily nested groups or deeply recursive map fields, the lack of recursion depth limits can result in uncontrolled stack growth. Attackers can craft malicious protobuf messages that deliberately exceed the stack's capacity, causing the application to crash or become unresponsive.\nThe protobuf package as shipped in RHEL does not include the affected java or kotlin bindings, therefore RHEL is Not Affected.", "threat_severity": "Important"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object