Lucene search
GoogleOSV:BIT-ENVOY-2022-29225HistoryMar 06, 2024 - 10:55 a.m.
BIT-envoy-2022-29225
2024-03-0610:55:19
Google
osv.dev
7
cloud-native proxy
vulnerability
data overwriting
zip bomb
decompression
system memory
denial of service
upgrade
software
0.001 Low
EPSS
Percentile
37.5%
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload. Maliciously constructed zip files may exhaust system memory and cause a denial of service. Users are advised to upgrade. Users unable to upgrade may consider disabling decompression.
Related
cve
cve
CVE-2022-29225
2022-06-09 20:15:00
osv
osv
CVE-2022-29225
2022-06-09 20:15:08
cnvd
cnvd
Envoy has an unspecified vulnerability (CNVD-2022-82665)
2022-06-10 00:00:00
redhatcve
redhatcve
CVE-2022-29225
2022-06-09 22:57:51
prion
prion
Buffer overflow
2022-06-09 20:15:00
cvelist
cvelist
CVE-2022-29225 Zip bomb vulnerability in Envoy
2022-06-09 19:15:14
redhat
redhat
nessus
nessus
RHEL 8 : Red Hat OpenShift Service Mesh 2.0.10 (RHSA-2022:5003)
2022-06-13 00:00:00
Oracle Linux 7 : olcne (ELSA-2022-9587)
2022-07-12 00:00:00
Oracle Linux 8 : olcne (ELSA-2022-9588)
2022-07-12 00:00:00
oraclelinux
oraclelinux
olcne security update
2022-07-11 00:00:00
olcne security update
2022-07-11 00:00:00
olcne security update
2022-07-12 00:00:00