CVE-2023-35943

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-35943
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-35943.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-35943
Aliases
Related
  • GHSA-mc6h-6j9x-v3gq
Published
2023-07-25T19:15:11Z
Modified
2025-02-19T03:33:16.853626Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, the CORS filter will segfault and crash Envoy when the origin header is removed and deleted between decodeHeadersand encodeHeaders. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, do not remove the origin header in the Envoy configuration.

References

Affected packages

Git / github.com/envoyproxy/envoy

Affected ranges

Type
GIT
Repo
https://github.com/envoyproxy/envoy
Events

Affected versions

v1.*

v1.23.0
v1.23.1
v1.23.10
v1.23.11
v1.23.2
v1.23.3
v1.23.4
v1.23.5
v1.23.6
v1.23.7
v1.23.8
v1.23.9