ГлавнаяУязвимости → CVE-2024-7254
7.5высокая

CVE-2024-7254

→ есть в БДУ: BDU:2024-07527 (на русском)
Описание (на английском; русское — в БДУ выше)

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Затрагиваемое ПО
Google ProtobufGoogle Protobuf-javaGoogle Protobuf-javaliteGoogle Protobuf-kotlinGoogle Protobuf-kotlin-liteNetapp Active iq unified managerNetapp BluexpNetapp Ontap tools
CVSS
Балл7.5 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Источники
https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaahttps://security.netapp.com/advisory/ntap-20241213-0010/https://security.netapp.com/advisory/ntap-20250418-0006/