Description
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload. Maliciously constructed zip files may exhaust system memory and cause a denial of service. Users are advised to upgrade. Users unable to upgrade may consider disabling decompression.
Remediation
References
Related Vulnerabilities
Oracle Database Server CVE-2010-3590 Vulnerability (CVE-2010-3590)
WordPress Plugin Multiplayer Games Cross-Site Scripting (3.7)
Liferay Portal CVE-2020-15840 Vulnerability (CVE-2020-15840)
Oracle JRE CVE-2013-1561 Vulnerability (CVE-2013-1561)
WordPress Plugin Disable Comments Cross-Site Scripting (1.3)