CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-35941 – Envoy vulnerable to OAuth2 credentials exploit with permanent validity
https://notcve.org/view.php?id=CVE-2023-35941
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios in which HMAC payload can be always valid in OAuth2 filter's check. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, avoid wildcards/prefix domain wildcards in the host's domain configuration. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55 https://access.redhat.com/security/cve/CVE-2023-35941 https://bugzilla.redhat.com/show_bug.cgi?id=2217977 • CWE-116: Improper Encoding or Escaping of Output CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-35945 – Envoy vulnerable to HTTP/2 memory leak in nghttp2 codec
https://notcve.org/view.php?id=CVE-2023-35945
Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r https://github.com/nghttp2/nghttp2/blob/e7f59406556c80904b81b593d38508591bb7523a/lib/nghttp2_session.c#L3346 https://access.redhat.com/security/cve/CVE-2023-35945 https://bugzilla.redhat.com/show_bug.cgi?id=2217983 • CWE-400: Uncontrolled Resource Consumption CWE-459: Incomplete Cleanup •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27496 – Envoy may crash when a redirect url without a state param is received in the oauth filter
https://notcve.org/view.php?id=CVE-2023-27496
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the OAuth filter assumes that a `state` query param is present on any response that looks like an OAuth redirect response. Sending it a request with the URI path equivalent to the redirect path, without the `state` parameter, will lead to abnormal termination of Envoy process. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. The issue can also be mitigated by locking down OAuth traffic, disabling the filter, or by filtering traffic before it reaches the OAuth filter (e.g. via a lua script). • https://github.com/envoyproxy/envoy/security/advisories/GHSA-j79q-2g66-2xv5 https://access.redhat.com/security/cve/CVE-2023-27496 https://bugzilla.redhat.com/show_bug.cgi?id=2182155 • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27493 – Envoy doesn't escape HTTP header values
https://notcve.org/view.php?id=CVE-2023-27493
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case, it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoy’s security policy. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-w5w5-487h-qv8q https://access.redhat.com/security/cve/CVE-2023-27493 https://bugzilla.redhat.com/show_bug.cgi?id=2182158 • CWE-20: Improper Input Validation CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 1CVE-2023-27492 – Envoy may crash when a large request body is processed in Lua filter
https://notcve.org/view.php?id=CVE-2023-27492
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the Lua filter is vulnerable to denial of service. Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes. As of versions versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy no longer invokes the Lua coroutine if the filter has been reset. As a workaround for those whose Lua filter is buffering all requests/ responses, mitigate by using the buffer filter to avoid triggering the local reply in the Lua filter. A flaw was found in Envoy. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-wpc2-2jp6-ppg2 https://access.redhat.com/security/cve/CVE-2023-27492 https://bugzilla.redhat.com/show_bug.cgi?id=2179139 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •