CVE-2023-24535

Summary

Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.

Affected Software

VendorProductVersion RangeStatus
google.golang.org/protobufgoogle.golang.org/protobuf/encoding/prototext1.29.0 < 1.29.1affected
google.golang.org/protobufgoogle.golang.org/protobuf/internal/encoding/text1.29.0 < 1.29.1affected

Weaknesses

  • CWE-125: Out-of-bounds Read

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References