CVE-2024-23326

Envoy incorrectly accepts HTTP 200 response for entering upgrade mode

Severity Score

8.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Envoy is a cloud-native, open source edge and service proxy. A theoretical request smuggling vulnerability exists through Envoy if a server can be tricked into adding an upgrade header into a response. Per RFC https://www.rfc-editor.org/rfc/rfc7230#section-6.7 a server sends 101 when switching protocols. Envoy incorrectly accepts a 200 response from a server when requesting a protocol upgrade, but 200 does not indicate protocol switch. This opens up the possibility of request smuggling through Envoy if the server can be tricked into adding the upgrade header to the response.

Envoy es un proxy de servicio y borde de código abierto, nativo de la nube. Existe una vulnerabilidad teórica de contrabando de solicitudes a través de Envoy si se puede engañar a un servidor para que agregue un encabezado de actualización en una respuesta. Según RFC https://www.rfc-editor.org/rfc/rfc7230#section-6.7, un servidor envía 101 al cambiar de protocolo. Envoy acepta incorrectamente una respuesta 200 de un servidor cuando solicita una actualización de protocolo, pero 200 no indica un cambio de protocolo. Esto abre la posibilidad de contrabando de solicitudes a través de Envoy si se puede engañar al servidor para que agregue el encabezado de actualización a la respuesta.

A possible request smuggling vulnerability exists through Envoy. This issue occurs if a server can be tricked into adding an upgrade header into a response.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-01-15 CVE Reserved
2024-06-04 CVE Published
2024-06-13 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-391: Unchecked Error Condition
CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c	2024-06-12
https://access.redhat.com/security/cve/CVE-2024-23326	2024-10-07
https://bugzilla.redhat.com/show_bug.cgi?id=2259228	2024-10-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				< 1.27.6 Search vendor "Envoyproxy" for product "Envoy" and version " < 1.27.6"		-		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.28.0 < 1.28.4 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.28.0 < 1.28.4"		-		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.29.0 < 1.29.5 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.29.0 < 1.29.5"		-		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.30.0 < 1.30.2 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.30.0 < 1.30.2"		-		Affected