Vulnerability Description
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Protobuf | < 3.15.0 | |
| Debian | Debian Linux | 9.0 |
| Fedoraproject | Fedora | 34 |
| Oracle | Mysql | <= 8.0.28 |
| Netapp | Active Iq Unified Manager | - |
| Netapp | Oncommand Insight | - |
| Netapp | Oncommand Workflow Automation | - |
| Netapp | Snapcenter | - |
Related Weaknesses (CWE)
References
- https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0Release NotesThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.netapp.com/advisory/ntap-20220429-0005/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlThird Party Advisory
- https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0Release NotesThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2021-22570?
CVE-2021-22570 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error me...
How severe is CVE-2021-22570?
CVE-2021-22570 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-22570?
Check the references section above for vendor advisories and patch information. Affected products include: Google Protobuf, Debian Debian Linux, Fedoraproject Fedora, Oracle Mysql, Netapp Active Iq Unified Manager.