Seeking clarification on Advisory GHSA-h4h5-3hr4-j3g2 - Potential denial of service for protobuf-java #6023
Description
Hello,
Writing to talk about GHSA-h4h5-3hr4-j3g2 ( related GHSA-h4h5-3hr4-j3g2)
The vulnerability speaks about and is marked at Medium severity
A potential Denial of Service issue in protobuf-java core and lite was discovered in the parsing procedure
for binary and text format data.
Input streams containing multiple instances of non-repeated embedded messages with repeated or
unknown fields causes objects to be converted back-n-forth between mutable and immutable forms,
resulting in potentially long garbage collection pauses.
Few questions here :
- How is the vulnerability different from the below ones ( or is it that GHSA-h4h5-3hr4-j3g2 is a parent vulnerability ( of sorts) for the ones below)
GHSA-wrvw-hg22-4m67 High Sev -- A potential Denial of Service issue in protobuf-java in parsing binary data
GHSA-735f-pc8j-v9w8 High Sev -- A potential Denial of Service issue in protobuf-java in parsing unknown fields
GHSA-g5ww-5jh7-63cx High Sev -- A potential Denial of Service issue in protobuf-java where objects are converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses
GHSA-4gg5-vx3j-xwc7 High Sev -- A potential Denial of Service issue in protobuf-java where objects are converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses
- Clarification related to severity would also be appreciated, because it appears GHSA-g5ww-5jh7-63cx and GHSA-4gg5-vx3j-xwc7 are all High severity.
Regards.