CVE-2022-21654 — Improper Certificate Validation in Envoy

CWE-295 — Improper Certificate Validation CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition5 documents5 sources

Severity

9.8CRITICALNVD

GHSA7.5OSV7.5

EPSS

0.1%

top 81.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Pomerium Pomerium Envoyproxy Envoy

Timeline

PublishedFeb 22

Latest updateNov 6

Description

Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDenvoyproxy/envoy1.7.0 — 1.18.6+3

▶CVEListV5envoyproxy/envoy4 versions+3

▶Gogithub.com/pomerium_pomerium< 0.16.4

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Multiple security issues in Pomerium's embedded envoy↗2022-03-01

▶

GHSA

Multiple security issues in Pomerium's embedded envoy↗2022-03-01

▶

📋Vendor Advisories

Red Hat

envoy: Incorrect configuration handling allows mTLS session re-use without re-validation↗2022-02-22

▶

📄Research Papers

arXiv

Specification-Guided Vulnerability Detection with Large Language Models↗2025-11-06

▶