x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29228 #488
Description
CVE-2022-29228 references github.com/envoyproxy/envoy, which may be a Go module.
Description:
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions. continueDecoding() shouldn’t ever be called from filters after a local reply has been sent. Users are advised to upgrade. There are no known workarounds for this issue.
Links:
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-29228
- JSON: https://github.com/CVEProject/cvelist/tree/72f081cb3697a960cc2c49a3f0187f129bf20341/2022/29xxx/CVE-2022-29228.json
- Commit: envoyproxy/envoy@7ffda4e
- Imported by: https://pkg.go.dev/github.com/envoyproxy/envoy?tab=importedby
- GHSA-rww6-8h7g-8jf6
See doc/triage.md for instructions on how to triage this report.
packages:
- module: github.com/envoyproxy/envoy
package: envoy
description: |
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions. continueDecoding() shouldn’t ever be called from filters after a local reply has been sent. Users are advised to upgrade. There are no known workarounds for this issue.
cves:
- CVE-2022-29228
links:
commit: https://github.com/envoyproxy/envoy/commit/7ffda4e809dec74449ebc330cebb9d2f4ab61360
context:
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-rww6-8h7g-8jf6