CVSS: 9.4EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27491 – Envoy forwards invalid Http2/Http3 downstream headers
https://notcve.org/view.php?id=CVE-2023-27491
04 Apr 2023 — Envoy is an open source edge and service proxy designed for cloud-native applications. Compliant HTTP/1 service should reject malformed request lines. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, There is a possibility that non compliant HTTP/1 service may allow malformed requests, potentially leading to a bypass of security policies. This issue is fixed in versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9. A flaw was found in Envoy that may allow attackers to send specially crafted HTTP/... • https://datatracker.ietf.org/doc/html/rfc9113#section-8.3 • CWE-20: Improper Input Validation CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27488 – Envoy gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received.
https://notcve.org/view.php?id=CVE-2023-27488
04 Apr 2023 — Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, escalation of privileges is possible when `failure_mode_allow: true` is configured for `ext_authz` filter. For affected components that are used for logging and/or visibility, requests may not be logged by the receiving service. When Envoy was configured to use ext_authz, ext_proc, tap, ratelimit filters, and grpc access log service and an http header with non-... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-9g5w-hqr3-w2ph • CWE-20: Improper Input Validation •
CVSS: 9.4EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27487 – Envoy client may fake the header `x-envoy-original-path`
https://notcve.org/view.php?id=CVE-2023-27487
04 Apr 2023 — Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the client may bypass JSON Web Token (JWT) checks and forge fake original paths. The header `x-envoy-original-path` should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client. The faked header would then be used for trace logs and grpc logs, as well as used... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-5375-pq35-hf2g • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29227 – Use after free in Envoy
https://notcve.org/view.php?id=CVE-2022-29227
09 Jun 2022 — Envoy is a cloud-native high-performance edge/middle/service proxy. In versions prior to 1.22.1 if Envoy attempts to send an internal redirect of an HTTP request consisting of more than HTTP headers, there’s a lifetime bug which can be triggered. If while replaying the request Envoy sends a local reply when the redirect headers are processed, the downstream state indicates that the downstream stream is not complete. On sending the local reply, Envoy will attempt to reset the upstream stream, but as it is ac... • https://github.com/envoyproxy/envoy/commit/fe7c69c248f4fe5a9080c7ccb35275b5218bb5ab • CWE-416: Use After Free •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29226 – Trivial authentication bypass in Envoy
https://notcve.org/view.php?id=CVE-2022-29226
09 Jun 2022 — Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request. Users are advised to upgrade. There is no known workaround for this issue. • https://github.com/envoyproxy/envoy/commit/7ffda4e809dec74449ebc330cebb9d2f4ab61360 • CWE-303: Incorrect Implementation of Authentication Algorithm CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29228 – Reachable assertion in Envoy
https://notcve.org/view.php?id=CVE-2022-29228
09 Jun 2022 — Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions. continueDecoding() shouldn’t ever be called from filters after a local reply has been sent. Users are advised to upgrade. There are no known workarounds for this issue. Envoy es un proxy de alto rendimiento nativo de la nube. • https://github.com/envoyproxy/envoy/commit/7ffda4e809dec74449ebc330cebb9d2f4ab61360 • CWE-416: Use After Free CWE-617: Reachable Assertion •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-29225 – Zip bomb vulnerability in Envoy
https://notcve.org/view.php?id=CVE-2022-29225
09 Jun 2022 — Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload. Maliciously constructed zip files may exhaust system memory and cause a denial of service. Users are advised to upgrade. • https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343 • CWE-400: Uncontrolled Resource Consumption CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29224 – Segmentation fault leading to crash in Envoy
https://notcve.org/view.php?id=CVE-2022-29224
09 Jun 2022 — Envoy is a cloud-native high-performance proxy. Versions of envoy prior to 1.22.1 are subject to a segmentation fault in the GrpcHealthCheckerImpl. Envoy can perform various types of upstream health checking. One of them uses gRPC. Envoy also has a feature which can “hold” (prevent removal) upstream hosts obtained via service discovery until configured active health checking fails. • https://github.com/envoyproxy/envoy/commit/9b1c3962172a972bc0359398af6daa3790bb59db • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-43826 – Crash when tunneling TCP over HTTP in Envoy
https://notcve.org/view.php?id=CVE-2021-43826
22 Feb 2022 — Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions of Envoy a crash occurs when configured for :ref:`upstream tunneling
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-43825 – Use-after-free in Envoy
https://notcve.org/view.php?id=CVE-2021-43825
22 Feb 2022 — Envoy is an open source edge and service proxy, designed for cloud-native applications. Sending a locally generated response must stop further processing of request or response data. Envoy tracks the amount of buffered request and response data and aborts the request if the amount of buffered data is over the limit by sending 413 or 500 responses. However when the buffer overflows while response is processed by the filter chain the operation may not be aborted correctly and result in accessing a freed memor... • https://github.com/envoyproxy/envoy/commit/148de954ed3585d8b4298b424aa24916d0de6136 • CWE-416: Use After Free •