BIT-envoy-2024-23327

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/envoy/BIT-envoy-2024-23327.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-envoy-2024-23327

Aliases

CVE-2024-23327
GHSA-4h5x-x9vh-m29j

Published

2024-03-06T10:51:34.990Z

Modified

2024-03-06T11:25:28.861Z

Summary

[none]

Details

Envoy is a high-performance edge/middle/service proxy. When PPv2 is enabled both on a listener and subsequent cluster, the Envoy instance will segfault when attempting to craft the upstream PPv2 header. This occurs when the downstream request has a command type of LOCAL and does not have the protocol block. This issue has been addressed in releases 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Bitnami / envoy

Package

Name: envoy
Purl: pkg:bitnami/envoy

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

1.26.0

Fixed

1.26.7

Introduced

1.27.0

Fixed

1.27.3

Introduced

1.28.0

Fixed

1.28.1

Introduced

1.29.0

Fixed

1.29.1