CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27491 – Envoy forwards invalid Http2/Http3 downstream headers
https://notcve.org/view.php?id=CVE-2023-27491
Envoy is an open source edge and service proxy designed for cloud-native applications. Compliant HTTP/1 service should reject malformed request lines. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, There is a possibility that non compliant HTTP/1 service may allow malformed requests, potentially leading to a bypass of security policies. This issue is fixed in versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9. A flaw was found in Envoy that may allow attackers to send specially crafted HTTP/2 or HTTP/3 requests to trigger parsing errors on the upstream HTTP/1 service. • https://datatracker.ietf.org/doc/html/rfc9113#section-8.3 https://datatracker.ietf.org/doc/html/rfc9114#section-4.3.1 https://github.com/envoyproxy/envoy/security/advisories/GHSA-5jmv-cw9p-f9rp https://www.rfc-editor.org/rfc/rfc9110#section-5.6.2 https://access.redhat.com/security/cve/CVE-2023-27491 https://bugzilla.redhat.com/show_bug.cgi?id=2179138 • CWE-20: Improper Input Validation CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27488 – Envoy gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received.
https://notcve.org/view.php?id=CVE-2023-27488
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, escalation of privileges is possible when `failure_mode_allow: true` is configured for `ext_authz` filter. For affected components that are used for logging and/or visibility, requests may not be logged by the receiving service. When Envoy was configured to use ext_authz, ext_proc, tap, ratelimit filters, and grpc access log service and an http header with non-UTF-8 data was received, Envoy would generate an invalid protobuf message and send it to the configured service. The receiving service would typically generate an error when decoding the protobuf message. For ext_authz that was configured with ``failure_mode_allow: true``, the request would have been allowed in this case. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-9g5w-hqr3-w2ph https://access.redhat.com/security/cve/CVE-2023-27488 https://bugzilla.redhat.com/show_bug.cgi?id=2182156 • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27487 – Envoy client may fake the header `x-envoy-original-path`
https://notcve.org/view.php?id=CVE-2023-27487
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the client may bypass JSON Web Token (JWT) checks and forge fake original paths. The header `x-envoy-original-path` should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client. The faked header would then be used for trace logs and grpc logs, as well as used in the URL used for `jwt_authn` checks if the `jwt_authn` filter is used, and any other upstream use of the x-envoy-original-path header. Attackers may forge a trusted `x-envoy-original-path` header. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-5375-pq35-hf2g https://access.redhat.com/security/cve/CVE-2023-27487 https://bugzilla.redhat.com/show_bug.cgi?id=2179135 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29227 – Use after free in Envoy
https://notcve.org/view.php?id=CVE-2022-29227
Envoy is a cloud-native high-performance edge/middle/service proxy. In versions prior to 1.22.1 if Envoy attempts to send an internal redirect of an HTTP request consisting of more than HTTP headers, there’s a lifetime bug which can be triggered. If while replaying the request Envoy sends a local reply when the redirect headers are processed, the downstream state indicates that the downstream stream is not complete. On sending the local reply, Envoy will attempt to reset the upstream stream, but as it is actually complete, and deleted, this result in a use-after-free. Users are advised to upgrade. • https://github.com/envoyproxy/envoy/commit/fe7c69c248f4fe5a9080c7ccb35275b5218bb5ab https://github.com/envoyproxy/envoy/security/advisories/GHSA-rm2p-qvf6-pvr6 • CWE-416: Use After Free •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29226 – Trivial authentication bypass in Envoy
https://notcve.org/view.php?id=CVE-2022-29226
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request. Users are advised to upgrade. There is no known workaround for this issue. • https://github.com/envoyproxy/envoy/commit/7ffda4e809dec74449ebc330cebb9d2f4ab61360 https://github.com/envoyproxy/envoy/security/advisories/GHSA-h45c-2f94-prxh https://access.redhat.com/security/cve/CVE-2022-29226 https://bugzilla.redhat.com/show_bug.cgi?id=2088739 • CWE-303: Incorrect Implementation of Authentication Algorithm CWE-306: Missing Authentication for Critical Function •