x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29228

[GoVulnBot]

CVE-2022-29228 references github.com/envoyproxy/envoy, which may be a Go module.

Description:
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions. continueDecoding() shouldn’t ever be called from filters after a local reply has been sent. Users are advised to upgrade. There are no known workarounds for this issue.

Links:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-29228
• JSON: https://github.com/CVEProject/cvelist/tree/72f081cb3697a960cc2c49a3f0187f129bf20341/2022/29xxx/CVE-2022-29228.json
• Commit: envoyproxy/envoy@7ffda4e
• Imported by: https://pkg.go.dev/github.com/envoyproxy/envoy?tab=importedby
• GHSA-rww6-8h7g-8jf6

See doc/triage.md for instructions on how to triage this report.

packages:
  - module: github.com/envoyproxy/envoy
    package: envoy
description: |
    Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions. continueDecoding() shouldn’t ever be called from filters after a local reply has been sent. Users are advised to upgrade. There are no known workarounds for this issue.
cves:
  - CVE-2022-29228
links:
    commit: https://github.com/envoyproxy/envoy/commit/7ffda4e809dec74449ebc330cebb9d2f4ab61360
    context:
      - https://github.com/envoyproxy/envoy/security/advisories/GHSA-rww6-8h7g-8jf6