CVE-2023-27491
Envoy forwards invalid Http2/Http3 downstream headers
Severity Score
9.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Envoy is an open source edge and service proxy designed for cloud-native applications. Compliant HTTP/1 service should reject malformed request lines. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, There is a possibility that non compliant HTTP/1 service may allow malformed requests, potentially leading to a bypass of security policies. This issue is fixed in versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9.
A flaw was found in Envoy that may allow attackers to send specially crafted HTTP/2 or HTTP/3 requests to trigger parsing errors on the upstream HTTP/1 service.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-03-01 CVE Reserved
- 2023-04-04 CVE Published
- 2024-08-02 CVE Updated
- 2024-08-02 First Exploit
- 2024-09-14 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
- CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://datatracker.ietf.org/doc/html/rfc9113#section-8.3 | Not Applicable | |
| https://datatracker.ietf.org/doc/html/rfc9114#section-4.3.1 | Not Applicable | |
| https://www.rfc-editor.org/rfc/rfc9110#section-5.6.2 | Not Applicable |
| URL | Date | SRC |
|---|---|---|
| https://github.com/envoyproxy/envoy/security/advisories/GHSA-5jmv-cw9p-f9rp | 2024-08-02 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-27491 | 2023-08-11 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2179138 | 2023-08-11 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Envoyproxy Search vendor "Envoyproxy" | Envoy Search vendor "Envoyproxy" for product "Envoy" | < 1.22.9 Search vendor "Envoyproxy" for product "Envoy" and version " < 1.22.9" | - |
Affected
| ||||||
| Envoyproxy Search vendor "Envoyproxy" | Envoy Search vendor "Envoyproxy" for product "Envoy" | >= 1.23.0 < 1.23.6 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.23.0 < 1.23.6" | - |
Affected
| ||||||
| Envoyproxy Search vendor "Envoyproxy" | Envoy Search vendor "Envoyproxy" for product "Envoy" | >= 1.24.0 < 1.24.4 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.24.0 < 1.24.4" | - |
Affected
| ||||||
| Envoyproxy Search vendor "Envoyproxy" | Envoy Search vendor "Envoyproxy" for product "Envoy" | >= 1.25.0 < 1.25.3 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.25.0 < 1.25.3" | - |
Affected
| ||||||