client_java icon indicating copy to clipboard operation
client_java copied to clipboard
verified publisher icon prometheus

CVE-2024-7254 potential Denial of Service issue in protobuf-java

Open robert-gdv opened this issue 1 year ago • 3 comments

Sonatype reports CVE-2024-7254 on io.prometheus : prometheus-metrics-shaded-protobuf with a CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Score of 8.7.

It is reported, that all Versions of prometheus-metrics-shaded-protobuf until 1.3.1 included are affected. There is currently no unaffected Version of prometheus-metrics-shaded-protobuf available while the unshaded library protobuf-java was already fixed.

See also https://github.com/advisories/GHSA-735f-pc8j-v9w8

robert-gdv avatar Oct 02 '24 13:10 robert-gdv

Apparently fixed in https://github.com/prometheus/client_java/pull/1008 I am waiting for a release.

ghost avatar Oct 02 '24 13:10 ghost

On the other hand: That was an automated update. I am not sure that dependabot understands the shading. Shouldn't it update also the protobuf.version.string variable?

ghost avatar Oct 02 '24 14:10 ghost

I've created https://github.com/prometheus/client_java/pull/1063 to address this

zeitlinger avatar Oct 07 '24 13:10 zeitlinger

@zeitlinger which version of prometheus-metrics-shaded-protobuf contains or will the fix?

artemptushkin avatar Nov 05 '24 15:11 artemptushkin

1.3.2

zeitlinger avatar Nov 05 '24 15:11 zeitlinger

Thx!

ghost avatar Nov 05 '24 17:11 ghost