Sign In

CVE-2022-37454

ADVISORY - github

Summary

Impact

The Keccak sponge function interface accepts partial inputs to be absorbed and partial outputs to be squeezed. A buffer can overflow when partial data with some specific sizes are queued, where at least one of them has a length of 2^32 - 200 bytes or more.

Patches

Yes, see commit fdc6fef0.

Workarounds

The problem can be avoided by limiting the size of the partial input data (or partial output digest) below 2^32 - 200 bytes. Multiple calls to the queue system can be chained at a higher level to retain the original functionality. Alternatively, one can process the entire input (or produce the entire output) at once, avoiding the queuing functions altogether.

References

See issue #105 for more details.

EPSS Score: 0.01202 (0.780)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-190

Integer Overflow or Wraparound

ADVISORY - github

CWE-190

Integer Overflow or Wraparound

ADVISORY - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-190

Integer Overflow or Wraparound

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-680

Integer Overflow to Buffer Overflow

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in