CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-45810 – Envoy crashes for LocalReply in http async client
https://notcve.org/view.php?id=CVE-2024-45810
Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy will crash when the http async client is handling `sendLocalReply` under some circumstance, e.g., websocket upgrade, and requests mirroring. The http async client will crash during the `sendLocalReply()` in http async client, one reason is http async client is duplicating the status code, another one is the destroy of router is called at the destructor of the async stream, while the stream is deferred deleted at first. There will be problems that the stream decoder is destroyed but its reference is called in `router.onDestroy()`, causing segment fault. This will impact ext_authz if the `upgrade` and `connection` header are allowed, and request mirrorring. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-qm74-x36m-555q https://access.redhat.com/security/cve/CVE-2024-45810 https://bugzilla.redhat.com/show_bug.cgi?id=2313687 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-39305 – Envoy Proxy use after free when route hash policy is configured with cookie attributes
https://notcve.org/view.php?id=CVE-2024-39305
Envoy is a cloud-native, open source edge and service proxy. Prior to versions 1.30.4, 1.29.7, 1.28.5, and 1.27.7. Envoy references already freed memory when route hash policy is configured with cookie attributes. Note that this vulnerability has been fixed in the open as the effect would be immediately apparent if it was configured. Memory allocated for holding attribute values is freed after configuration was parsed. • https://github.com/envoyproxy/envoy/commit/02a06681fbe0e039b1c7a9215257a7537eddb518 https://github.com/envoyproxy/envoy/commit/50b384cb203a1f2894324cbae64b6d9bc44cce45 https://github.com/envoyproxy/envoy/commit/99b6e525fb9f6f6f19a0425f779bc776f121c7e5 https://github.com/envoyproxy/envoy/commit/b7f509607ad860fd6a63cde4f7d6f0197f9f63bb https://github.com/envoyproxy/envoy/security/advisories/GHSA-fp35-g349-h66f • CWE-416: Use After Free •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2024-32974 – Envoy affected by a crash in EnvoyQuicServerStream::OnInitialHeadersComplete()
https://notcve.org/view.php?id=CVE-2024-32974
Envoy is a cloud-native, open source edge and service proxy. A crash was observed in `EnvoyQuicServerStream::OnInitialHeadersComplete()` with following call stack. It is a use-after-free caused by QUICHE continuing push request headers after `StopReading()` being called on the stream. As after `StopReading()`, the HCM's `ActiveStream` might have already be destroyed and any up calls from QUICHE could potentially cause use after free. Envoy es un proxy de servicio y borde de código abierto, nativo de la nube. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299 • CWE-416: Use After Free •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2024-32975 – Envoy crashes in QuicheDataReader::PeekVarInt62Length()
https://notcve.org/view.php?id=CVE-2024-32975
Envoy is a cloud-native, open source edge and service proxy. There is a crash at `QuicheDataReader::PeekVarInt62Length()`. It is caused by integer underflow in the `QuicStreamSequencerBuffer::PeekRegion()` implementation. Envoy es un proxy de servicio y borde de código abierto, nativo de la nube. Hay un bloqueo en `QuicheDataReader::PeekVarInt62Length()`. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2024-32976 – Envoy can enter an endless loop while decompressing Brotli data with extra input
https://notcve.org/view.php?id=CVE-2024-32976
Envoy is a cloud-native, open source edge and service proxy. Envoyproxy with a Brotli filter can get into an endless loop during decompression of Brotli data with extra input. Envoy es un proxy de servicio y borde de código abierto, nativo de la nube. Envoyproxy con un filtro Brotli puede entrar en un bucle sin fin durante la descompresión de datos Brotli con entrada adicional. A flaw was found in Envoy's Brotli decompressor. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m https://access.redhat.com/security/cve/CVE-2024-32976 https://bugzilla.redhat.com/show_bug.cgi?id=2283145 • CWE-400: Uncontrolled Resource Consumption CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •