An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable integer overflow in which a very large grpc-timeout value leads to unexpected timeout calculations.
{
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "1.14.6"
},
{
"last_affected": "1.14.6"
},
{
"introduced": "1.15.3"
},
{
"last_affected": "1.15.3"
},
{
"introduced": "1.16.2"
},
{
"last_affected": "1.16.2"
},
{
"introduced": "1.17.1"
},
{
"last_affected": "1.17.1"
}
],
"cpe": [
"cpe:2.3:a:envoyproxy:envoy:1.14.6:*:*:*:*:*:*:*",
"cpe:2.3:a:envoyproxy:envoy:1.15.3:*:*:*:*:*:*:*",
"cpe:2.3:a:envoyproxy:envoy:1.16.2:*:*:*:*:*:*:*",
"cpe:2.3:a:envoyproxy:envoy:1.17.1:*:*:*:*:*:*:*"
]
}