{"containers": {"cna": {"affected": [{"product": "envoy", "vendor": "envoyproxy", "versions": [{"status": "affected", "version": "< 1.22.1"}]}], "descriptions": [{"lang": "en", "value": "Envoy is a cloud-native high-performance edge/middle/service proxy. In versions prior to 1.22.1 if Envoy attempts to send an internal redirect of an HTTP request consisting of more than HTTP headers, there\u2019s a lifetime bug which can be triggered. If while replaying the request Envoy sends a local reply when the redirect headers are processed, the downstream state indicates that the downstream stream is not complete. On sending the local reply, Envoy will attempt to reset the upstream stream, but as it is actually complete, and deleted, this result in a use-after-free. Users are advised to upgrade. Users unable to upgrade are advised to disable internal redirects if crashes are observed."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416: Use After Free", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-09T19:30:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rm2p-qvf6-pvr6"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/envoyproxy/envoy/commit/fe7c69c248f4fe5a9080c7ccb35275b5218bb5ab"}], "source": {"advisory": "GHSA-rm2p-qvf6-pvr6", "discovery": "UNKNOWN"}, "title": "Use after free in Envoy", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-29227", "STATE": "PUBLIC", "TITLE": "Use after free in Envoy"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "envoy", "version": {"version_data": [{"version_value": "< 1.22.1"}]}}]}, "vendor_name": "envoyproxy"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Envoy is a cloud-native high-performance edge/middle/service proxy. In versions prior to 1.22.1 if Envoy attempts to send an internal redirect of an HTTP request consisting of more than HTTP headers, there\u2019s a lifetime bug which can be triggered. If while replaying the request Envoy sends a local reply when the redirect headers are processed, the downstream state indicates that the downstream stream is not complete. On sending the local reply, Envoy will attempt to reset the upstream stream, but as it is actually complete, and deleted, this result in a use-after-free. Users are advised to upgrade. Users unable to upgrade are advised to disable internal redirects if crashes are observed."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-416: Use After Free"}]}]}, "references": {"reference_data": [{"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rm2p-qvf6-pvr6", "refsource": "CONFIRM", "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rm2p-qvf6-pvr6"}, {"name": "https://github.com/envoyproxy/envoy/commit/fe7c69c248f4fe5a9080c7ccb35275b5218bb5ab", "refsource": "MISC", "url": "https://github.com/envoyproxy/envoy/commit/fe7c69c248f4fe5a9080c7ccb35275b5218bb5ab"}]}, "source": {"advisory": "GHSA-rm2p-qvf6-pvr6", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:17:54.256Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rm2p-qvf6-pvr6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/envoyproxy/envoy/commit/fe7c69c248f4fe5a9080c7ccb35275b5218bb5ab"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-29227", "datePublished": "2022-06-09T19:30:15", "dateReserved": "2022-04-13T00:00:00", "dateUpdated": "2024-08-03T06:17:54.256Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "343FE7CD-C2BF-42EE-8384-AAD008BE690D", "versionEndExcluding": "1.22.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Envoy is a cloud-native high-performance edge/middle/service proxy. In versions prior to 1.22.1 if Envoy attempts to send an internal redirect of an HTTP request consisting of more than HTTP headers, there\u2019s a lifetime bug which can be triggered. If while replaying the request Envoy sends a local reply when the redirect headers are processed, the downstream state indicates that the downstream stream is not complete. On sending the local reply, Envoy will attempt to reset the upstream stream, but as it is actually complete, and deleted, this result in a use-after-free. Users are advised to upgrade. Users unable to upgrade are advised to disable internal redirects if crashes are observed."}, {"lang": "es", "value": "Envoy es un proxy de borde/medio/servicio de alto rendimiento nativo de la nube. En versiones anteriores a 1.22.1, si Envoy intenta enviar un redireccionamiento interno de una petici\u00f3n HTTP que consta de m\u00e1s encabezados HTTP, se presenta un error de por vida que puede desencadenarse. Si mientras es reproducida la petici\u00f3n Envoy env\u00eda una respuesta local cuando son procesados los encabezados del redireccionamiento, el estado descendente indica que el flujo descendente no est\u00e1 completo. Al enviar la respuesta local, Envoy intentar\u00e1 restablecer el flujo descendente, pero como en realidad est\u00e1 completo, y ha sido eliminado, esto resulta en un uso de memoria previamente liberada. es recomendado a usuarios actualizar. Es recomendado a usuarios que no puedan actualizar deshabilitar los redireccionamientos internos si son observados bloqueos"}], "id": "CVE-2022-29227", "lastModified": "2024-11-21T06:58:45.730", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-09T20:15:08.140", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/envoyproxy/envoy/commit/fe7c69c248f4fe5a9080c7ccb35275b5218bb5ab"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rm2p-qvf6-pvr6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/envoyproxy/envoy/commit/fe7c69c248f4fe5a9080c7ccb35275b5218bb5ab"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rm2p-qvf6-pvr6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Envoy security team for reporting this issue.", "bugzilla": {"description": "envoy: Internal redirect crash for requests with body/trailers", "id": "2088741", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2088741"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["Envoy is a cloud-native high-performance edge/middle/service proxy. In versions prior to 1.22.1 if Envoy attempts to send an internal redirect of an HTTP request consisting of more than HTTP headers, there\u2019s a lifetime bug which can be triggered. If while replaying the request Envoy sends a local reply when the redirect headers are processed, the downstream state indicates that the downstream stream is not complete. On sending the local reply, Envoy will attempt to reset the upstream stream, but as it is actually complete, and deleted, this result in a use-after-free. Users are advised to upgrade. Users unable to upgrade are advised to disable internal redirects if crashes are observed.", "A flaw was found in Envoy. Internal redirects for requests with bodies or trailers are not safe if the redirect prompts an Envoy-generated local reply. A remote attacker can exploit this to cause a denial of service."], "mitigation": {"lang": "en:us", "value": "Disable internal redirects if crashes are observed."}, "name": "CVE-2022-29227", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Affected", "package_name": "servicemesh-proxy", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.1", "fix_state": "Affected", "package_name": "servicemesh-proxy", "product_name": "OpenShift Service Mesh 2.1"}], "public_date": "2022-06-09T14:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-29227\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-29227\nhttps://github.com/envoyproxy/envoy/security/advisories/GHSA-rm2p-qvf6-pvr6"], "threat_severity": "Important", "upstream_fix": "Envoy 1.22.1, Envoy 1.21.3, Envoy 1.20.4, Envoy 1.19.5"}