x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29225

[GoVulnBot]

CVE-2022-29225 references github.com/envoyproxy/envoy, which may be a Go module.

Description:
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload. Maliciously constructed zip files may exhaust system memory and cause a denial of service. Users are advised to upgrade. Users unable to upgrade may consider disabling decompression.

Links:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-29225
• JSON: https://github.com/CVEProject/cvelist/tree/72f081cb3697a960cc2c49a3f0187f129bf20341/2022/29xxx/CVE-2022-29225.json
• Commit: envoyproxy/envoy@cb4ef0b
• Imported by: https://pkg.go.dev/github.com/envoyproxy/envoy?tab=importedby
• GHSA-75hv-2jjj-89hh

See doc/triage.md for instructions on how to triage this report.

packages:
  - module: github.com/envoyproxy/envoy
    package: envoy
description: |
    Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload. Maliciously constructed zip files may exhaust system memory and cause a denial of service. Users are advised to upgrade. Users unable to upgrade may consider disabling decompression.
cves:
  - CVE-2022-29225
links:
    commit: https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343
    context:
      - https://github.com/envoyproxy/envoy/security/advisories/GHSA-75hv-2jjj-89hh