CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 1CVE-2023-35942 – Envoy's gRPC access log crash caused by the listener draining
https://notcve.org/view.php?id=CVE-2023-35942
25 Jul 2023 — Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, gRPC access loggers using listener's global scope can cause a `use-after-free` crash when the listener is drained. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, disable gRPC access log or stop listener update. A flaw was found in Envoy, where gRPC access loggers using the listener's global scope can cause a ... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-69vr-g55c-v2v4 • CWE-416: Use After Free •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-35941 – Envoy vulnerable to OAuth2 credentials exploit with permanent validity
https://notcve.org/view.php?id=CVE-2023-35941
25 Jul 2023 — Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios in which HMAC payload can be always valid in OAuth2 filter's check. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, avoid wildcards/prefix domain wildcards in the ho... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55 • CWE-116: Improper Encoding or Escaping of Output CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-35945 – Envoy vulnerable to HTTP/2 memory leak in nghttp2 codec
https://notcve.org/view.php?id=CVE-2023-35945
13 Jul 2023 — Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` fram... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r • CWE-400: Uncontrolled Resource Consumption CWE-459: Incomplete Cleanup •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27496 – Envoy may crash when a redirect url without a state param is received in the oauth filter
https://notcve.org/view.php?id=CVE-2023-27496
04 Apr 2023 — Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the OAuth filter assumes that a `state` query param is present on any response that looks like an OAuth redirect response. Sending it a request with the URI path equivalent to the redirect path, without the `state` parameter, will lead to abnormal termination of Envoy process. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. The issue can al... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-j79q-2g66-2xv5 • CWE-20: Improper Input Validation •
CVSS: 9.4EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27493 – Envoy doesn't escape HTTP header values
https://notcve.org/view.php?id=CVE-2023-27493
04 Apr 2023 — Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case, it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoy’s security policy. Versions 1.... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-w5w5-487h-qv8q • CWE-20: Improper Input Validation CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27492 – Envoy may crash when a large request body is processed in Lua filter
https://notcve.org/view.php?id=CVE-2023-27492
04 Apr 2023 — Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the Lua filter is vulnerable to denial of service. Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes. As of versions versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy no longer invokes the Lua coroutine if the filter has been reset. As a workaround for those whose Lua filter is buffering all requests/ r... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-wpc2-2jp6-ppg2 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.4EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27491 – Envoy forwards invalid Http2/Http3 downstream headers
https://notcve.org/view.php?id=CVE-2023-27491
04 Apr 2023 — Envoy is an open source edge and service proxy designed for cloud-native applications. Compliant HTTP/1 service should reject malformed request lines. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, There is a possibility that non compliant HTTP/1 service may allow malformed requests, potentially leading to a bypass of security policies. This issue is fixed in versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9. A flaw was found in Envoy that may allow attackers to send specially crafted HTTP/... • https://datatracker.ietf.org/doc/html/rfc9113#section-8.3 • CWE-20: Improper Input Validation CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27488 – Envoy gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received.
https://notcve.org/view.php?id=CVE-2023-27488
04 Apr 2023 — Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, escalation of privileges is possible when `failure_mode_allow: true` is configured for `ext_authz` filter. For affected components that are used for logging and/or visibility, requests may not be logged by the receiving service. When Envoy was configured to use ext_authz, ext_proc, tap, ratelimit filters, and grpc access log service and an http header with non-... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-9g5w-hqr3-w2ph • CWE-20: Improper Input Validation •
CVSS: 9.4EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27487 – Envoy client may fake the header `x-envoy-original-path`
https://notcve.org/view.php?id=CVE-2023-27487
04 Apr 2023 — Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the client may bypass JSON Web Token (JWT) checks and forge fake original paths. The header `x-envoy-original-path` should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client. The faked header would then be used for trace logs and grpc logs, as well as used... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-5375-pq35-hf2g • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29227 – Use after free in Envoy
https://notcve.org/view.php?id=CVE-2022-29227
09 Jun 2022 — Envoy is a cloud-native high-performance edge/middle/service proxy. In versions prior to 1.22.1 if Envoy attempts to send an internal redirect of an HTTP request consisting of more than HTTP headers, there’s a lifetime bug which can be triggered. If while replaying the request Envoy sends a local reply when the redirect headers are processed, the downstream state indicates that the downstream stream is not complete. On sending the local reply, Envoy will attempt to reset the upstream stream, but as it is ac... • https://github.com/envoyproxy/envoy/commit/fe7c69c248f4fe5a9080c7ccb35275b5218bb5ab • CWE-416: Use After Free •