CVE-2022-2529 - Vulnerability Details - OpenCVE

sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Cloudflare	Goflow

Configuration 1 [-]

cpe:2.3:a:cloudflare:goflow:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c

History

Tue, 20 May 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: cloudflare

Published: 2022-09-30T10:45:11.000Z

Updated: 2025-05-20T16:03:07.474Z

Reserved: 2022-07-25T00:00:00.000Z

Link: CVE-2022-2529

Vulnrichment

Updated: 2024-08-03T00:39:08.043Z

NVD

Status : Modified

Published: 2022-09-30T11:15:09.353

Modified: 2024-11-21T07:01:11.843

Link: CVE-2022-2529

Redhat

No data.

{"containers": {"cna": {"affected": [{"platforms": ["Go"], "product": "goflow", "vendor": "Cloudflare", "versions": [{"lessThan": "3.4.4", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Justin Timperio, Chase Hiltz"}], "descriptions": [{"lang": "en", "value": "sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-30T10:45:11.000Z", "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "shortName": "cloudflare"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c"}], "solutions": [{"lang": "en", "value": "Upgrade goflow at least to version 3.4.4"}], "source": {"discovery": "EXTERNAL"}, "title": "Multiple DoS Attack Vectors in sflow packet handling", "workarounds": [{"lang": "en", "value": "Make sure that the goflow collector is not publicly reachable."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@cloudflare.com", "ID": "CVE-2022-2529", "STATE": "PUBLIC", "TITLE": "Multiple DoS Attack Vectors in sflow packet handling"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "goflow", "version": {"version_data": [{"platform": "Go", "version_affected": "<", "version_value": "3.4.4"}]}}]}, "vendor_name": "Cloudflare"}]}}, "credit": [{"lang": "eng", "value": "Justin Timperio, Chase Hiltz"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}, {"description": [{"lang": "eng", "value": "CWE-400 Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c", "refsource": "MISC", "url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c"}]}, "solution": [{"lang": "en", "value": "Upgrade goflow at least to version 3.4.4"}], "source": {"discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "Make sure that the goflow collector is not publicly reachable."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:39:08.043Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-20T16:02:58.308388Z", "id": "CVE-2022-2529", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-20T16:03:07.474Z"}}]}, "cveMetadata": {"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "assignerShortName": "cloudflare", "cveId": "CVE-2022-2529", "datePublished": "2022-09-30T10:45:11.000Z", "dateReserved": "2022-07-25T00:00:00.000Z", "dateUpdated": "2025-05-20T16:03:07.474Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:39:08.043Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-2529", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-20T16:02:58.308388Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-20T16:03:03.524Z"}}], "cna": {"title": "Multiple DoS Attack Vectors in sflow packet handling", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "Justin Timperio, Chase Hiltz"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Cloudflare", "product": "goflow", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "3.4.4", "versionType": "custom"}], "platforms": ["Go"]}], "solutions": [{"lang": "en", "value": "Upgrade goflow at least to version 3.4.4"}], "references": [{"url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c", "tags": ["x_refsource_MISC"]}], "workarounds": [{"lang": "en", "value": "Make sure that the goflow collector is not publicly reachable."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "shortName": "cloudflare", "dateUpdated": "2022-09-30T10:45:11.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Justin Timperio, Chase Hiltz"}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, "source": {"discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"platform": "Go", "version_value": "3.4.4", "version_affected": "<"}]}, "product_name": "goflow"}]}, "vendor_name": "Cloudflare"}]}}, "solution": [{"lang": "en", "value": "Upgrade goflow at least to version 3.4.4"}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c", "name": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}, {"description": [{"lang": "eng", "value": "CWE-400 Uncontrolled Resource Consumption"}]}]}, "work_around": [{"lang": "en", "value": "Make sure that the goflow collector is not publicly reachable."}], "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-2529", "STATE": "PUBLIC", "TITLE": "Multiple DoS Attack Vectors in sflow packet handling", "ASSIGNER": "cna@cloudflare.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-2529", "state": "PUBLISHED", "dateUpdated": "2025-05-20T16:03:07.474Z", "dateReserved": "2022-07-25T00:00:00.000Z", "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "datePublished": "2022-09-30T10:45:11.000Z", "assignerShortName": "cloudflare"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudflare:goflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA4C3B2C-FA7D-4659-97FF-880D574C12B4", "versionEndExcluding": "3.4.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service."}, {"lang": "es", "value": "El paquete de decodificaci\u00f3n sflow no emplea suficiente sanitizaci\u00f3n de paquetes, lo que puede llevar a un ataque de denegaci\u00f3n de servicio. Los atacantes pueden elaborar paquetes malformados haciendo que el proceso consuma grandes cantidades de memoria, lo que provoca una denegaci\u00f3n de servicio"}], "id": "CVE-2022-2529", "lastModified": "2024-11-21T07:01:11.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cna@cloudflare.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-30T11:15:09.353", "references": [{"source": "cna@cloudflare.com", "tags": ["Third Party Advisory"], "url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c"}], "sourceIdentifier": "cna@cloudflare.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-400"}], "source": "cna@cloudflare.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}