BIT-envoy-2024-23324

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/envoy/BIT-envoy-2024-23324.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-envoy-2024-23324

Aliases

CVE-2024-23324
GHSA-gq3v-vvhj-96j6

Published

2024-03-06T10:51:54.396Z

Modified

2024-03-06T11:25:28.861Z

Summary

[none]

Details

Envoy is a high-performance edge/middle/service proxy. External authentication can be bypassed by downstream connections. Downstream clients can force invalid gRPC requests to be sent to extauthz, circumventing extauthz checks when failuremodeallow is set to true. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Bitnami / envoy

Package

Name: envoy
Purl: pkg:bitnami/envoy

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

1.26.0

Fixed

1.26.7

Introduced

1.27.0

Fixed

1.27.3

Introduced

1.28.0

Fixed

1.28.1

Introduced

1.29.0

Fixed

1.29.1