CVE-2022-37434

Public on 2022-08-05
Modified on 2024-02-03
Description

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Severity
Medium
See what this means
CVSS v3 Base Score
7.0
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 - Core rsync 2023-06-07 ALAS2-2023-2074
Amazon Linux 2023 rsync 2023-03-22 ALAS2023-2023-002
Amazon Linux 1 zlib 2022-12-06 ALAS-2022-1650
Amazon Linux 2 - Core zlib 2022-09-20 ALAS2-2022-1849
Amazon Linux 2023 zlib 2023-03-22 ALAS2023-2023-003

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
NVD CVSSv3 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2022-37434 Mitre: CVE-2022-37434