Search for vulnerabilities
Vulnerability details: VCID-6ar6-xb8y-aaap
Vulnerability ID VCID-6ar6-xb8y-aaap
Aliases CVE-2022-37434
Summary zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
Status Published
Exploitability 2.0
Weighted Severity 8.8
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-787 Out-of-bounds Write
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
System Score Found at
cvssv3 7.0 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-37434.json
epss 0.00336 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.00336 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.00336 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.00336 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92398 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92513 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92513 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92513 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92513 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92513 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92678 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92678 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92678 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92678 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92678 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92738 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92738 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92738 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92738 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92738 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92738 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92738 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92738 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92738 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92738 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
epss 0.92738 https://api.first.org/data/v1/epss?cve=CVE-2022-37434
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=2116639
cvssv3.1 8.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3 9.8 https://nvd.nist.gov/vuln/detail/CVE-2022-37434
archlinux High https://security.archlinux.org/AVG-2821
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-37434.json
https://api.first.org/data/v1/epss?cve=CVE-2022-37434
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/curl/curl/issues/9271
https://github.com/ivd38/zlib_overflow
https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063
https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/
https://security.netapp.com/advisory/ntap-20220901-0005/
https://www.debian.org/security/2022/dsa-5218
http://www.openwall.com/lists/oss-security/2022/08/05/2
http://www.openwall.com/lists/oss-security/2022/08/09/1
1016710 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016710
2116639 https://bugzilla.redhat.com/show_bug.cgi?id=2116639
AVG-2821 https://security.archlinux.org/AVG-2821
cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*
CVE-2022-37434 https://nvd.nist.gov/vuln/detail/CVE-2022-37434
RHSA-2022:7106 https://access.redhat.com/errata/RHSA-2022:7106
RHSA-2022:7314 https://access.redhat.com/errata/RHSA-2022:7314
RHSA-2022:7793 https://access.redhat.com/errata/RHSA-2022:7793
RHSA-2022:8291 https://access.redhat.com/errata/RHSA-2022:8291
RHSA-2022:8841 https://access.redhat.com/errata/RHSA-2022:8841
RHSA-2023:1095 https://access.redhat.com/errata/RHSA-2023:1095
RHSA-2024:0254 https://access.redhat.com/errata/RHSA-2024:0254
USN-5570-1 https://usn.ubuntu.com/5570-1/
USN-5570-2 https://usn.ubuntu.com/5570-2/
USN-5573-1 https://usn.ubuntu.com/5573-1/
USN-6736-1 https://usn.ubuntu.com/6736-1/
USN-6736-2 https://usn.ubuntu.com/6736-2/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-37434.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-37434
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.70923
EPSS Score 0.00336
Published At Dec. 17, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.