{"id":"UBUNTU-CVE-2021-3121","details":"An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.","modified":"2025-10-24T04:49:10Z","published":"2021-01-11T06:15:00Z","upstream":["CVE-2021-3121"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-3121"},{"type":"REPORT","url":"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2021-3121"}],"affected":[{"package":{"name":"golang-gogoprotobuf","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/golang-gogoprotobuf@0.0~git20150828.0.6cab0cc-1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.0~git20150717-1","0.0~git20150828.0.6cab0cc-1"],"ecosystem_specific":{"binaries":[{"binary_name":"golang-gogoprotobuf-dev","binary_version":"0.0~git20150828.0.6cab0cc-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-3121.json"}},{"package":{"name":"golang-gogoprotobuf","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/golang-gogoprotobuf@0.5-1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.3+git20170120.144.265e960d-1ubuntu1","0.5-1"],"ecosystem_specific":{"binaries":[{"binary_name":"gogoprotobuf","binary_version":"0.5-1"},{"binary_name":"golang-github-gogo-protobuf-dev","binary_version":"0.5-1"},{"binary_name":"golang-gogoprotobuf-dev","binary_version":"0.5-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-3121.json"}},{"package":{"name":"golang-gogoprotobuf","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/golang-gogoprotobuf@1.2.1+git20190611.dadb6258-1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.2.1+git20190611.dadb6258-1"],"ecosystem_specific":{"binaries":[{"binary_name":"gogoprotobuf","binary_version":"1.2.1+git20190611.dadb6258-1"},{"binary_name":"golang-github-gogo-protobuf-dev","binary_version":"1.2.1+git20190611.dadb6258-1"},{"binary_name":"golang-gogoprotobuf-dev","binary_version":"1.2.1+git20190611.dadb6258-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-3121.json"}},{"package":{"name":"golang-gogoprotobuf","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/golang-gogoprotobuf@1.3.2-1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.3.2-1"}]}],"ecosystem_specific":{"binaries":[{"binary_name":"gogoprotobuf","binary_version":"1.3.2-1"},{"binary_name":"golang-github-gogo-protobuf-dev","binary_version":"1.3.2-1"},{"binary_name":"golang-gogoprotobuf-dev","binary_version":"1.3.2-1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-3121.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"type":"Ubuntu","score":"medium"}]}