BIT-envoy-2024-32475

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/envoy/BIT-envoy-2024-32475.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-envoy-2024-32475

Aliases

CVE-2024-32475

Published

2024-04-20T07:17:35.607Z

Modified

2025-04-03T14:40:37.652Z

Summary

[none]

Details

Envoy is a cloud-native, open source edge and service proxy. When an upstream TLS cluster is used with auto_sni enabled, a request containing a host/:authority header longer than 255 characters triggers an abnormal termination of Envoy process. Envoy does not gracefully handle an error when setting SNI for outbound TLS connection. The error can occur when Envoy attempts to use the host/:authority header value longer than 255 characters as SNI for outbound TLS connection. SNI length is limited to 255 characters per the standard. Envoy always expects this operation to succeed and abnormally aborts the process when it fails. This vulnerability is fixed in 1.30.1, 1.29.4, 1.28.3, and 1.27.5.

Database specific

{
    "cpes": [
        "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / envoy

Package

Name: envoy
Purl: pkg:bitnami/envoy

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

1.13.0

Fixed

1.27.5

Introduced

1.28.0

Fixed

1.28.3

Introduced

1.29.0

Fixed

1.29.4

Introduced

1.30.0

Fixed

1.30.1