blob: 652cbf1208c0d48f0da7f969c31618681c784c02 [file] [log] [blame]
id: GO-2023-1631
modules:
- module: google.golang.org/protobuf
versions:
- introduced: 1.29.0
- fixed: 1.29.1
vulnerable_at: 1.29.0
packages:
- package: google.golang.org/protobuf/encoding/prototext
symbols:
- UnmarshalOptions.unmarshal
derived_symbols:
- Unmarshal
- UnmarshalOptions.Unmarshal
- package: google.golang.org/protobuf/internal/encoding/text
symbols:
- parseNumber
derived_symbols:
- Decoder.Peek
- Decoder.Read
summary: Panic when parsing invalid messages in google.golang.org/protobuf
description: |-
Parsing invalid messages can panic.
Parsing a text-format message which contains a potential number consisting of a
minus sign, one or more characters of whitespace, and no further input will
cause a panic.
ghsas:
- GHSA-hw7c-3rfg-p46j
references:
- fix: https://go.dev/cl/475995
- report: https://github.com/golang/protobuf/issues/1530
cve_metadata:
id: CVE-2023-24535
cwe: 'CWE-125: Out-of-bounds Read'
review_status: REVIEWED