LAYER: meta-oe
PACKAGE NAME: protobuf
PACKAGE VERSION: 4.25.3
CVE: CVE-2015-5237
CVE STATUS: Patched
CVE SUMMARY: protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.
CVSS v2 BASE SCORE: 6.5
CVSS v3 BASE SCORE: 8.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5237

LAYER: meta-oe
PACKAGE NAME: protobuf
PACKAGE VERSION: 4.25.3
CVE: CVE-2021-22570
CVE STATUS: Patched
CVE SUMMARY: Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22570

LAYER: meta-oe
PACKAGE NAME: protobuf
PACKAGE VERSION: 4.25.3
CVE: CVE-2021-3121
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 8.6
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3121

LAYER: meta-oe
PACKAGE NAME: protobuf
PACKAGE VERSION: 4.25.3
CVE: CVE-2023-24535
CVE STATUS: Patched
CVE SUMMARY: Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24535