CVE-2024-23327

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-23327

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23327.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-23327

Aliases

BIT-envoy-2024-23327
GHSA-4h5x-x9vh-m29j

Published

2024-02-09T23:15:09Z

Modified

2024-05-14T13:09:34.646368Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

Envoy is a high-performance edge/middle/service proxy. When PPv2 is enabled both on a listener and subsequent cluster, the Envoy instance will segfault when attempting to craft the upstream PPv2 header. This occurs when the downstream request has a command type of LOCAL and does not have the protocol block. This issue has been addressed in releases 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Git / github.com/envoyproxy/envoy

Affected ranges

Type: GIT
Repo: https://github.com/envoyproxy/envoy
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

63895ea8e3cca9c5d3ab4c5c128ed1369969d54a

Affected versions

v1.*

v1.0.0

v1.1.0

v1.10.0

v1.11.0

v1.12.0

v1.13.0

v1.14.0

v1.15.0

v1.16.0

v1.17.0

v1.18.0

v1.18.1

v1.18.2

v1.19.0

v1.2.0

v1.20.0

v1.21.0

v1.22.0

v1.23.0

v1.24.0

v1.25.0

v1.26.0

v1.27.0

v1.28.0

v1.29.0

v1.3.0

v1.4.0

v1.5.0

v1.6.0

v1.7.0

v1.8.0

v1.9.0