CVE-2019-9900

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-9900

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-9900.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-9900

Related

GHSA-x74r-f4mw-c32h

Published

2019-04-25T15:29:01Z

Modified

2025-01-14T08:12:54.412934Z

Downstream

RHSA-2019:0741

Severity

8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS Calculator

Summary

[none]

Details

When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources.

References

Affected packages

Git / github.com/envoyproxy/envoy

Affected ranges

Type: GIT
Repo: https://github.com/envoyproxy/envoy
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

37bfd8ac347955661af695a417492655b21939dc

Affected versions

v1.*

v1.0.0

v1.1.0

v1.2.0

v1.3.0

v1.4.0

v1.5.0

v1.6.0

v1.7.0

v1.8.0

v1.9.0