A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

An update of the protobuf package has been released.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0808 advisory.

  - The go command may execute arbitrary code at build time when using cgo. This may occur when running go     get on a malicious module, or when running any other command which builds untrusted code. This is can by     triggered by linker flags, specified via a #cgo LDFLAGS directive. Flags containing embedded spaces are     mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in     the argument of another flag. This only affects usage of the gccgo compiler. (CVE-2023-29405)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

  - Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the     name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3. (CVE-2022-37601)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Atlassian Jira Service Management Data Center and Server (Jira Service Desk) running on the remote host is affected by a vulnerability as referenced in the JSDSERVER-14755 advisory.

  - A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions     prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing     multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be     converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage     collection pauses. We recommend updating to the versions mentioned above. (CVE-2022-3509)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202301-09 (protobuf-java: Denial of Service)

  - A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6     and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated     embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between     mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend     updating to the versions mentioned above. (CVE-2022-3171)

  - A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions     prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing     multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be     converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage     collection pauses. We recommend updating to the versions mentioned above. (CVE-2022-3509)

  - A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite     versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs     containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes     objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long     garbage collection pauses. We recommend updating to the versions mentioned above. (CVE-2022-3510)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
204500	Photon OS 4.0: Protobuf PHSA-2023-4.0-0417	Nessus	PhotonOS Local Security Checks	high
194928	Splunk Enterprise 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0808)	Nessus	CGI abuses	critical
185960	Atlassian Jira Service Management Data Center and Server 4.20.x < 4.20.27 / 5.4.x < 5.4.11 (JSDSERVER-14755)	Nessus	Misc.	high
169832	GLSA-202301-09 : protobuf-java: Denial of Service	Nessus	Gentoo Local Security Checks	high

Detections

Analytics

CVE-2022-3509

high

Tenable Plugins

high

critical

high

high