BIT-envoy-2024-45808

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/envoy/BIT-envoy-2024-45808.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-envoy-2024-45808
Aliases
  • CVE-2024-45808
Published
2024-09-21T07:10:31.256Z
Modified
2024-09-21T08:12:18.415796Z
Summary
[none]
Details

Envoy is a cloud-native high-performance edge/middle/service proxy. A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs. This is achieved by exploiting the lack of validation for the REQUESTED_SERVER_NAME field for access loggers. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Bitnami / envoy

Package

Name
envoy
Purl
pkg:bitnami/envoy

Severity

  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
1.31.0
Fixed
1.31.2
Introduced
1.30.0
Fixed
1.30.6
Introduced
1.29.0
Fixed
1.29.9
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.28.7