CVE-2022-33070 - Protobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift via the function parse_tag_a

CVE-2022-33070

Summary

Protobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift via the function parse_tag_and_wiretype in protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

References

https://github.com/protobuf-c/protobuf-c/pull/508
https://github.com/protobuf-c/protobuf-c/issues/506
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFN2GHUEGTSHRD7J5PKQ5DRSJSEQ2IKN/

Vulnerable Configurations

cpe:2.3:a:protobuf-c_project:protobuf-c:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:protobuf-c_project:protobuf-c:1.4.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 27-10-2022 - 21:02)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:N/I:N/A:P

Last major update

27-10-2022 - 21:02

Published

23-06-2022 - 17:15

Last modified

27-10-2022 - 21:02