{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/33198?format=json","vulnerability_id":"VCID-hrb4-qjn7-a3f9","summary":"Protobuf Maven Plugin protocDigest is ignored when using protoc from PATH\n### Summary\nThe expected `protocDigest` is ignored when protoc is taken from the `PATH`.\n\n### Details\nThe documentation for the `protocDigest` parameter says:\n> ... Users may wish to specify this if using a `PATH`-based binary ...\n\nHowever, when specifying `<protoc>PATH</protoc>` the `protocDigest` is not actually checked because the code returns here already\nhttps://github.com/ascopes/protobuf-maven-plugin/blob/59097aae8062c461129a13dcda2f4116b90a8765/protobuf-maven-plugin/src/main/java/io/github/ascopes/protobufmavenplugin/protoc/ProtocResolver.java#L91-L93\n\nbefore the digest check:\nhttps://github.com/ascopes/protobuf-maven-plugin/blob/59097aae8062c461129a13dcda2f4116b90a8765/protobuf-maven-plugin/src/main/java/io/github/ascopes/protobufmavenplugin/protoc/ProtocResolver.java#L106\n\n### PoC\nSpecify:\n```xml\n<protoc>PATH</protoc>\n<protocDigest>sha256:0000000000000000000000000000000000000000000000000000000000000000</protocDigest>\n```\n\nAnd notice how the `protoc` on the `PATH` is not rejected, despite a digest mismatch.\n\n### Impact\nUsers who have an untrusted `protoc` executable on their `PATH` and rely `<protocDigest>` as protection are affected.","aliases":[{"alias":"GHSA-j2pc-v64r-mv4f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/65556?format=json","purl":"pkg:maven/io.github.ascopes/protobuf-maven-plugin@3.10.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/io.github.ascopes/protobuf-maven-plugin@3.10.2"},{"url":"http://public2.vulnerablecode.io/api/packages/65555?format=json","purl":"pkg:maven/io.github.ascopes/protobuf-maven-plugin@4.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/io.github.ascopes/protobuf-maven-plugin@4.0.2"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/328131?format=json","purl":"pkg:maven/io.github.ascopes/protobuf-maven-plugin@4.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-hrb4-qjn7-a3f9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/io.github.ascopes/protobuf-maven-plugin@4.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/328132?format=json","purl":"pkg:maven/io.github.ascopes/protobuf-maven-plugin@4.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-hrb4-qjn7-a3f9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/io.github.ascopes/protobuf-maven-plugin@4.0.1"}],"references":[{"reference_url":"https://github.com/ascopes/protobuf-maven-plugin","reference_id":"","reference_type":"","scores":[{"value":"1.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ascopes/protobuf-maven-plugin"},{"reference_url":"https://github.com/ascopes/protobuf-maven-plugin/commit/d3330e7038a296fe595c5470a22019eb70e35b07","reference_id":"","reference_type":"","scores":[{"value":"1.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ascopes/protobuf-maven-plugin/commit/d3330e7038a296fe595c5470a22019eb70e35b07"},{"reference_url":"https://github.com/ascopes/protobuf-maven-plugin/security/advisories/GHSA-j2pc-v64r-mv4f","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"1.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ascopes/protobuf-maven-plugin/security/advisories/GHSA-j2pc-v64r-mv4f"},{"reference_url":"https://github.com/advisories/GHSA-j2pc-v64r-mv4f","reference_id":"GHSA-j2pc-v64r-mv4f","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j2pc-v64r-mv4f"}],"weaknesses":[{"cwe_id":354,"name":"Improper Validation of Integrity Check Value","description":"The product does not validate or incorrectly validates the integrity check values or checksums of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission."},{"cwe_id":693,"name":"Protection Mechanism Failure","description":"The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":"0.1 - 3","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hrb4-qjn7-a3f9"}