| id: GO-2023-1631 |
| modules: |
| - module: google.golang.org/protobuf |
| versions: |
| - introduced: 1.29.0 |
| - fixed: 1.29.1 |
| vulnerable_at: 1.29.0 |
| packages: |
| - package: google.golang.org/protobuf/encoding/prototext |
| symbols: |
| - UnmarshalOptions.unmarshal |
| derived_symbols: |
| - Unmarshal |
| - UnmarshalOptions.Unmarshal |
| - package: google.golang.org/protobuf/internal/encoding/text |
| symbols: |
| - parseNumber |
| derived_symbols: |
| - Decoder.Peek |
| - Decoder.Read |
| summary: Panic when parsing invalid messages in google.golang.org/protobuf |
| description: |- |
| Parsing invalid messages can panic. |
| |
| Parsing a text-format message which contains a potential number consisting of a |
| minus sign, one or more characters of whitespace, and no further input will |
| cause a panic. |
| ghsas: |
| - GHSA-hw7c-3rfg-p46j |
| references: |
| - fix: https://go.dev/cl/475995 |
| - report: https://github.com/golang/protobuf/issues/1530 |
| cve_metadata: |
| id: CVE-2023-24535 |
| cwe: 'CWE-125: Out-of-bounds Read' |
| review_status: REVIEWED |