rpm package
suse/protobuf&distro=SUSE Linux Enterprise Module for Public Cloud 15 SP4
pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP4
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-0994 | Hig | 7.5 | < 25.1-150400.9.19.1 | 25.1-150400.9.19.1 | Jan 23, 2026 | A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling l | |
| CVE-2025-4565 | — | < 25.1-150400.9.16.1 | 25.1-150400.9.16.1 | Jun 16, 2025 | Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of s | ||
| CVE-2024-7254 | — | < 25.1-150400.9.10.1 | 25.1-150400.9.10.1 | Sep 19, 2024 | Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 25.1-150400.9.3.1 | 25.1-150400.9.3.1 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-4785 | — | < 25.1-150400.9.3.1 | 25.1-150400.9.3.1 | Sep 13, 2023 | Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are aff | ||
| CVE-2023-33953 | — | < 25.1-150400.9.3.1 | 25.1-150400.9.3.1 | Aug 9, 2023 | gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounde | ||
| CVE-2023-32731 | — | < 25.1-150400.9.3.1 | 25.1-150400.9.3.1 | Jun 9, 2023 | When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy an | ||
| CVE-2023-32732 | — | < 25.1-150400.9.3.1 | 25.1-150400.9.3.1 | Jun 9, 2023 | gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recom | ||
| CVE-2023-30608 | — | < 25.1-150400.9.6.1 | 25.1-150400.9.6.1 | Apr 18, 2023 | sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of | ||
| CVE-2022-3171 | — | < 3.9.2-150200.4.19.2 | 3.9.2-150200.4.19.2 | Oct 12, 2022 | A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be | ||
| CVE-2022-1941 | — | < 3.9.2-150200.4.19.2 | 3.9.2-150200.4.19.2 | Sep 22, 2022 | A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can | ||
| CVE-2021-22569 | — | < 3.9.2-150200.4.19.2 | 3.9.2-150200.4.19.2 | Jan 7, 2022 | An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause fre |
- affected < 25.1-150400.9.19.1fixed 25.1-150400.9.19.1
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling l
- CVE-2025-4565Jun 16, 2025affected < 25.1-150400.9.16.1fixed 25.1-150400.9.16.1
Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of s
- CVE-2024-7254Sep 19, 2024affected < 25.1-150400.9.10.1fixed 25.1-150400.9.10.1
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf
- affected < 25.1-150400.9.3.1fixed 25.1-150400.9.3.1
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2023-4785Sep 13, 2023affected < 25.1-150400.9.3.1fixed 25.1-150400.9.3.1
Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are aff
- CVE-2023-33953Aug 9, 2023affected < 25.1-150400.9.3.1fixed 25.1-150400.9.3.1
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounde
- CVE-2023-32731Jun 9, 2023affected < 25.1-150400.9.3.1fixed 25.1-150400.9.3.1
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy an
- CVE-2023-32732Jun 9, 2023affected < 25.1-150400.9.3.1fixed 25.1-150400.9.3.1
gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recom
- CVE-2023-30608Apr 18, 2023affected < 25.1-150400.9.6.1fixed 25.1-150400.9.6.1
sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of
- CVE-2022-3171Oct 12, 2022affected < 3.9.2-150200.4.19.2fixed 3.9.2-150200.4.19.2
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be
- CVE-2022-1941Sep 22, 2022affected < 3.9.2-150200.4.19.2fixed 3.9.2-150200.4.19.2
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can
- CVE-2021-22569Jan 7, 2022affected < 3.9.2-150200.4.19.2fixed 3.9.2-150200.4.19.2
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause fre