Pio1006 / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
0 stars 0 forks source link

CVE-2022-29225 (High) detected in multiple libraries - autoclosed #12

Closed mend-for-github-com[bot] closed 6 months ago

mend-for-github-com[bot] commented 2 years ago

CVE-2022-29225 - High Severity Vulnerability

Vulnerable Libraries - envoy1.12.0-alpha.1, envoy1.12.0-alpha.1, envoy1.12.0-alpha.1, envoy1.12.0-alpha.1

Vulnerability Details

Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload. Maliciously constructed zip files may exhaust system memory and cause a denial of service. Users are advised to upgrade. Users unable to upgrade may consider disabling decompression.

Publish Date: 2022-06-09

URL: CVE-2022-29225

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/envoyproxy/envoy/security/advisories/GHSA-75hv-2jjj-89hh

Release Date: 2022-06-09

Fix Resolution: v1.19.5,v1.20.4,v1.21.3,v1.22.1

mend-for-github-com[bot] commented 6 months ago

:information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #48