CVE-2024-32475

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-32475

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32475.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-32475

Aliases

BIT-envoy-2024-32475

Related

GHSA-3mh5-6q8v-25wj

Published

2024-04-18T15:15:30Z

Modified

2025-05-20T03:15:23.476861Z

Summary

[none]

Details

Envoy is a cloud-native, open source edge and service proxy. When an upstream TLS cluster is used with auto_sni enabled, a request containing a host/:authority header longer than 255 characters triggers an abnormal termination of Envoy process. Envoy does not gracefully handle an error when setting SNI for outbound TLS connection. The error can occur when Envoy attempts to use the host/:authority header value longer than 255 characters as SNI for outbound TLS connection. SNI length is limited to 255 characters per the standard. Envoy always expects this operation to succeed and abnormally aborts the process when it fails. This vulnerability is fixed in 1.30.1, 1.29.4, 1.28.3, and 1.27.5.

References

Affected packages

Git / github.com/envoyproxy/envoy

Affected ranges

Type: GIT
Repo: https://github.com/envoyproxy/envoy
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b47fc6648d7c2dfe0093a601d44cb704b7bad382

Fixed

b47fc6648d7c2dfe0093a601d44cb704b7bad382

Affected versions

v1.*

v1.0.0

v1.1.0

v1.10.0

v1.11.0

v1.12.0

v1.13.0

v1.14.0

v1.15.0

v1.16.0

v1.17.0

v1.18.0

v1.18.1

v1.18.2

v1.19.0

v1.2.0

v1.20.0

v1.21.0

v1.22.0

v1.23.0

v1.24.0

v1.25.0

v1.26.0

v1.27.0

v1.28.0

v1.29.0

v1.3.0

v1.30.0

v1.4.0

v1.5.0

v1.6.0

v1.7.0

v1.8.0

v1.9.0