9.8

CVSS Score

Basic Information

CVE ID

CVE-2022-37454

GHSA ID

GHSA-6w4m-2xhg-2658

EPSS Score

CWE

CWE-190

Published

4/26/2023

Updated

5/3/2023

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-37454

CVE-2022-37454:
Buffer overflow in sponge queue functions

Impact

The Keccak sponge function interface accepts partial inputs to be absorbed and partial outputs to be squeezed. A buffer can overflow when partial data with some specific sizes are queued, where at least one of them has a length of 2^32 - 200 bytes or more.

Patches

Yes, see commit fdc6fef0.

Workarounds

The problem can be avoided by limiting the size of the partial input data (or partial output digest) below 2^32 - 200 bytes. Multiple calls to the queue system can be chained at a higher level to retain the original functionality. Alternatively, one can process the entire input (or produce the entire output) at once, avoiding the queuing functions altogether.

References

See issue #105 for more details.

(GitHub Advisory)

9.8

CVSS Score

Basic Information

CVE ID

CVE-2022-37454

GHSA ID

GHSA-6w4m-2xhg-2658

EPSS Score

CWE

CWE-190

Published

4/26/2023

Updated

5/3/2023

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pysha3	pip	<= 1.0.2
sha3	rubygems	< 1.0.5	1.0.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of large partial blocks in the sponge functions. The commit fdc6fef0 shows critical fixes in both SpongeAbsorb and SpongeSqueeze where: 1) Partial block size calculations were changed from 'partialBlock = (unsigned int)(dataByteLen - i)' to overflow-safe comparisons, 2) Buffer management logic was modified to prevent integer wrap-around. The GitHub issue #105 explicitly identifies these functions as containing the vulnerable comparison patterns. Multiple implementations (Python's hashlib, PHP's hash_init) using this XKCP code exhibited the crash behavior described, confirming the functions' roles.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** K****k spon** *un*tion int*r**** ****pts p*rti*l inputs to ** **sor*** *n* p*rti*l outputs to ** squ**z**. * *u***r **n ov*r*low w**n p*rti*l **t* wit* som* sp**i*i* siz*s *r* qu*u**, w**r* *t l**st on* o* t**m **s * l*n*t* o* *^** -

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* l*r** p*rti*l *lo*ks in t** spon** *un*tions. T** *ommit ******** s*ows *riti**l *ix*s in *ot* Spon****sor* *n* Spon**Squ**z* w**r*: *) P*rti*l *lo*k siz* **l*ul*tions w*r* ***n*** *rom 'p*rti*l*lo*k

9.8

Basic Information

Concerned about an active attack path?

CVE-2022-37454: Buffer overflow in sponge queue functions

Impact

Patches

Workarounds

References

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-37454:
Buffer overflow in sponge queue functions

Vulnerability Intelligence
Miggo AI