CVE-2023-35943
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-35943
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-35943.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-35943
- Aliases
-
- BIT-envoy-2023-35943
- GHSA-mc6h-6j9x-v3gq
- Published
- 2023-07-25T18:26:23Z
- Modified
- 2025-10-22T18:39:04.044203Z
- Severity
-
- 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H CVSS Calculator
- Summary
- Envoy vulnerable to CORS filter segfault when origin header is removed
- Details
-
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, the CORS filter will segfault and crash Envoy when the
originheader is removed and deleted betweendecodeHeadersandencodeHeaders. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, do not remove theoriginheader in the Envoy configuration. - Database specific
{ "cwe_ids": [ "CWE-416" ] }- References
Affected packages
Git / github.com/envoyproxy/envoy
Affected ranges
- Type
- GIT
- Repo
- https://github.com/envoyproxy/envoy
- Events
- Type
- GIT
- Repo
- https://github.com/envoyproxy/envoy
- Events
- Type
- GIT
- Repo
- https://github.com/envoyproxy/envoy
- Events
- Type
- GIT
- Repo
- https://github.com/envoyproxy/envoy
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v1.*
v1.0.0
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.15.0
v1.16.0
v1.17.0
v1.18.0
v1.18.1
v1.18.2
v1.19.0
v1.2.0
v1.20.0
v1.21.0
v1.22.0
v1.23.0
v1.23.1
v1.23.10
v1.23.11
v1.23.2
v1.23.3
v1.23.4
v1.23.5
v1.23.6
v1.23.7
v1.23.8
v1.23.9
v1.24.0
v1.24.1
v1.24.2
v1.24.3
v1.24.4
v1.24.5
v1.24.6
v1.24.7
v1.24.8
v1.24.9
v1.25.0
v1.25.1
v1.25.2
v1.25.3
v1.25.4
v1.25.5
v1.25.6
v1.25.7
v1.25.8
v1.26.0
v1.26.1
v1.26.2
v1.26.3
v1.3.0
v1.4.0
v1.5.0
v1.6.0
v1.7.0
v1.8.0
v1.9.0