4.28.2 due to CVE-2024-7254

Disha Talreja (Jira) Mon, 18 Nov 2024 13:27:07 -0800

Disha Talreja created ATLAS-4925:
------------------------------------

             Summary: Upgrade protobuf-java to 3.25.5/4.27.5/4.28.2 due to 
CVE-2024-7254
                 Key: ATLAS-4925
                 URL: https://issues.apache.org/jira/browse/ATLAS-4925
             Project: Atlas
          Issue Type: Task
          Components:  atlas-core
            Reporter: Disha Talreja
            Assignee: Disha Talreja



Upgrade protobuf-java to 3.25.5/4.27.5/4.28.2 due to CVE-2024-7254

Any project that parses untrusted Protocol Buffers data containing an arbitrary 
number of nested groups / series of SGROUP tags can corrupted by exceeding the 
stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with 
DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf 
map fields, creates unbounded recursions that can be abused by an attacker.

[https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-8055227] 

[https://nvd.nist.gov/vuln/detail/CVE-2024-7254] 

[https://github.com/advisories/GHSA-735f-pc8j-v9w8] 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (ATLAS-4925) Upgrade protobuf-java to 3.25.5/4.27.5/4.28.2 due to CVE-2024-7254

Reply via email to