CVE-2022-4899
CVE Details
Visit the official vulnerability details page for CVE-2022-4899 to learn more.
Initial Publication
10/25/2024
Last Update
12/16/2024
Third Party Dependency
libzstd1
NIST CVE Summary
A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.
CVE Severity
Our Official Summary
zstd is a compression library and command-line tool that provides fast and efficient compression and decompression capabilities. The vulnerability in zstd v1.4.10 allows an attacker to exploit a buffer overrun by providing an empty string as a command-line argument. This can lead to a variety of potential consequences, including denial of service and information disclosure.
Risk of exploitation of this vulnerability for our products is low, since accessing the compression library requires attacker to have privileged access to the containers and do not allow arbitrary code to be run on them. Impact of exploitation is also low since containers have a limited attack surface. Third party containers in which this vulnerability is reported do not have an upstream fix. We will upgrade the images once the upstream fix becomes available.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.5.15 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.11 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.10 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.8 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.5 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.4 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.4.20 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|---|
| 12/16/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15 |
| 11/28/2024 | Official summary revised: zstd is a compression library and command-line tool that provides fast and efficient compression and decompression capabilities. The vulnerability in zstd v1.4.10 allows an attacker to exploit a buffer overrun by providing an empty string as a command-line argument. This can lead to a variety of potential consequences, including denial of service and information disclosure.Risk of exploitation of this vulnerability for our products is low, since accessing the compression library requires attacker to have privileged access to the containers and do not allow arbitrary code to be run on them. Impact of exploitation is also low since containers have a limited attack surface. Third party containers in which this vulnerability is reported do not have an upstream fix. We will upgrade the images once the upstream fix becomes available. |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 |
| 11/13/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20 |
| 11/10/2024 | Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8 |
| 10/27/2024 | Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5 |