CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-35945 – Envoy vulnerable to HTTP/2 memory leak in nghttp2 codec
https://notcve.org/view.php?id=CVE-2023-35945
13 Jul 2023 — Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` fram... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r • CWE-400: Uncontrolled Resource Consumption CWE-459: Incomplete Cleanup •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27496 – Envoy may crash when a redirect url without a state param is received in the oauth filter
https://notcve.org/view.php?id=CVE-2023-27496
04 Apr 2023 — Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the OAuth filter assumes that a `state` query param is present on any response that looks like an OAuth redirect response. Sending it a request with the URI path equivalent to the redirect path, without the `state` parameter, will lead to abnormal termination of Envoy process. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. The issue can al... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-j79q-2g66-2xv5 • CWE-20: Improper Input Validation •
CVSS: 9.4EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27493 – Envoy doesn't escape HTTP header values
https://notcve.org/view.php?id=CVE-2023-27493
04 Apr 2023 — Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case, it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoy’s security policy. Versions 1.... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-w5w5-487h-qv8q • CWE-20: Improper Input Validation CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27492 – Envoy may crash when a large request body is processed in Lua filter
https://notcve.org/view.php?id=CVE-2023-27492
04 Apr 2023 — Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the Lua filter is vulnerable to denial of service. Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes. As of versions versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy no longer invokes the Lua coroutine if the filter has been reset. As a workaround for those whose Lua filter is buffering all requests/ r... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-wpc2-2jp6-ppg2 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.4EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27491 – Envoy forwards invalid Http2/Http3 downstream headers
https://notcve.org/view.php?id=CVE-2023-27491
04 Apr 2023 — Envoy is an open source edge and service proxy designed for cloud-native applications. Compliant HTTP/1 service should reject malformed request lines. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, There is a possibility that non compliant HTTP/1 service may allow malformed requests, potentially leading to a bypass of security policies. This issue is fixed in versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9. A flaw was found in Envoy that may allow attackers to send specially crafted HTTP/... • https://datatracker.ietf.org/doc/html/rfc9113#section-8.3 • CWE-20: Improper Input Validation CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27488 – Envoy gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received.
https://notcve.org/view.php?id=CVE-2023-27488
04 Apr 2023 — Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, escalation of privileges is possible when `failure_mode_allow: true` is configured for `ext_authz` filter. For affected components that are used for logging and/or visibility, requests may not be logged by the receiving service. When Envoy was configured to use ext_authz, ext_proc, tap, ratelimit filters, and grpc access log service and an http header with non-... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-9g5w-hqr3-w2ph • CWE-20: Improper Input Validation •
CVSS: 9.4EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27487 – Envoy client may fake the header `x-envoy-original-path`
https://notcve.org/view.php?id=CVE-2023-27487
04 Apr 2023 — Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the client may bypass JSON Web Token (JWT) checks and forge fake original paths. The header `x-envoy-original-path` should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client. The faked header would then be used for trace logs and grpc logs, as well as used... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-5375-pq35-hf2g • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29227 – Use after free in Envoy
https://notcve.org/view.php?id=CVE-2022-29227
09 Jun 2022 — Envoy is a cloud-native high-performance edge/middle/service proxy. In versions prior to 1.22.1 if Envoy attempts to send an internal redirect of an HTTP request consisting of more than HTTP headers, there’s a lifetime bug which can be triggered. If while replaying the request Envoy sends a local reply when the redirect headers are processed, the downstream state indicates that the downstream stream is not complete. On sending the local reply, Envoy will attempt to reset the upstream stream, but as it is ac... • https://github.com/envoyproxy/envoy/commit/fe7c69c248f4fe5a9080c7ccb35275b5218bb5ab • CWE-416: Use After Free •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29226 – Trivial authentication bypass in Envoy
https://notcve.org/view.php?id=CVE-2022-29226
09 Jun 2022 — Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request. Users are advised to upgrade. There is no known workaround for this issue. • https://github.com/envoyproxy/envoy/commit/7ffda4e809dec74449ebc330cebb9d2f4ab61360 • CWE-303: Incorrect Implementation of Authentication Algorithm CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29228 – Reachable assertion in Envoy
https://notcve.org/view.php?id=CVE-2022-29228
09 Jun 2022 — Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions. continueDecoding() shouldn’t ever be called from filters after a local reply has been sent. Users are advised to upgrade. There are no known workarounds for this issue. Envoy es un proxy de alto rendimiento nativo de la nube. • https://github.com/envoyproxy/envoy/commit/7ffda4e809dec74449ebc330cebb9d2f4ab61360 • CWE-416: Use After Free CWE-617: Reachable Assertion •