CVE-2024-53984

Published: Dec 2, 2024

Modified: Dec 2, 2024

PUBLISHED

CVSS v3.1

4.3

MEDIUM

Description

Nanopb is a small code-size Protocol Buffers implementation. When the compile time option PB_ENABLE_MALLOC is enabled, the message contains at least one field with FT_POINTER field type, custom stream callback is used with unknown stream length. and the pb_decode_ex() function is used with flag PB_DECODE_DELIMITED, then the pb_decode_ex() function does not automatically call pb_release(), like is done for other failure cases. This could lead to memory leak and potential denial-of-service. This vulnerability is fixed in 0.4.9.1.

Vendor	Product	Versions
nanopb	nanopb	affected `>=0.4.0, < 0.4.9.1`

Weaknesses (CWE)

CWE-401

CWE-755

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

References

https://github.com/nanopb/nanopb/security/advisories/GHSA-xwqq-qxmw-hj5r

x_refsource_CONFIRM

https://github.com/nanopb/nanopb/commit/2b86c255aa52250438d5aba124d0e86db495b378

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-53984

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References