BIT-envoy-2024-45808

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/envoy/BIT-envoy-2024-45808.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-envoy-2024-45808

Aliases

CVE-2024-45808
GHSA-p222-xhp9-39rc

Published

2024-09-21T07:10:31.256Z

Modified

2025-05-20T10:02:07.006Z

Summary

Malicious log injection via access logs in envoy

Details

Envoy is a cloud-native high-performance edge/middle/service proxy. A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs. This is achieved by exploiting the lack of validation for the REQUESTED_SERVER_NAME field for access loggers. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific

{
    "severity": "Medium",
    "cpes": [
        "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*"
    ]
}

References

Affected packages

Bitnami / envoy

Package

Name: envoy
Purl: pkg:bitnami/envoy

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.28.7

Introduced

1.29.0

Fixed

1.29.9

Introduced

1.30.0

Fixed

1.30.6

Introduced

1.31.0

Fixed

1.31.2