CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 1CVE-2023-35942 – Envoy's gRPC access log crash caused by the listener draining
https://notcve.org/view.php?id=CVE-2023-35942
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, gRPC access loggers using listener's global scope can cause a `use-after-free` crash when the listener is drained. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, disable gRPC access log or stop listener update. A flaw was found in Envoy, where gRPC access loggers using the listener's global scope can cause a use-after-free crash when the listener is drained. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-69vr-g55c-v2v4 https://access.redhat.com/security/cve/CVE-2023-35942 https://bugzilla.redhat.com/show_bug.cgi?id=2217978 • CWE-416: Use After Free •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-35941 – Envoy vulnerable to OAuth2 credentials exploit with permanent validity
https://notcve.org/view.php?id=CVE-2023-35941
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios in which HMAC payload can be always valid in OAuth2 filter's check. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, avoid wildcards/prefix domain wildcards in the host's domain configuration. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55 https://access.redhat.com/security/cve/CVE-2023-35941 https://bugzilla.redhat.com/show_bug.cgi?id=2217977 • CWE-116: Improper Encoding or Escaping of Output CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-35945 – Envoy vulnerable to HTTP/2 memory leak in nghttp2 codec
https://notcve.org/view.php?id=CVE-2023-35945
Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r https://github.com/nghttp2/nghttp2/blob/e7f59406556c80904b81b593d38508591bb7523a/lib/nghttp2_session.c#L3346 https://access.redhat.com/security/cve/CVE-2023-35945 https://bugzilla.redhat.com/show_bug.cgi?id=2217983 • CWE-400: Uncontrolled Resource Consumption CWE-459: Incomplete Cleanup •