CVE-2022-29225

Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload. Maliciously constructed zip files may exhaust system memory and cause a denial of service. Users are advised to upgrade. Users unable to upgrade may consider disabling decompression.
Configurations

Configuration 1 (hide)

cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*

History

16 Jun 2022, 17:30

Type Values Removed Values Added
References (MISC) https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343 - (MISC) https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343 - Patch, Third Party Advisory
References (CONFIRM) https://github.com/envoyproxy/envoy/security/advisories/GHSA-75hv-2jjj-89hh - (CONFIRM) https://github.com/envoyproxy/envoy/security/advisories/GHSA-75hv-2jjj-89hh - Exploit, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : 5.0
v3 : 7.5
CPE cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*

09 Jun 2022, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-06-09 20:15

Updated : 2024-02-04 22:29


NVD link : CVE-2022-29225

Mitre link : CVE-2022-29225

CVE.ORG link : CVE-2022-29225


JSON object : View

Products Affected

envoyproxy

  • envoy
CWE
CWE-400

Uncontrolled Resource Consumption

CWE-409

Improper Handling of Highly Compressed Data (Data Amplification)