CVE-2020-8660Insufficient Verification of Data Authenticity in Envoy

CWE-345Insufficient Verification of Data AuthenticityCWE-358Improperly Implemented Security Check for Standard3 documents3 sources
Severity
5.3MEDIUMNVD
EPSS
0.0%
top 93.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Envoyproxy Envoy
Timeline
Latest updateMar 3
PublishedMar 4

Description

CNCF Envoy through 1.13.0 TLS inspector bypass. TLS inspector could have been bypassed (not recognized as a TLS client) by a client using only TLS 1.3. Because TLS extensions (SNI, ALPN) were not inspected, those connections might have been matched to a wrong filter chain, possibly bypassing some security restrictions in the process.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

NVDenvoyproxy/envoy1.13.01.13.1+1

📋Vendor Advisories

1
Red Hat
envoy: TLS inspector bypassc2020-03-03

💬Community

1
Bugzilla
CVE-2020-8660 envoy: TLS inspector bypassc2020-02-13
CVE-2020-8660 — Envoyproxy Envoy vulnerability | cvebase