cbcvebase.
CVE-2022-21654
published 2022-02-22

CVE-2022-21654: Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have…

PriorityP346critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.06%
60.3th percentile
Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade.

Affected

9 ranges
VendorProductVersion rangeFixed in
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy>= 1.19.0 < 1.19.31.19.3
envoyproxyenvoy>= 1.20.0 < 1.20.21.20.2
envoyproxyenvoy>= 1.21.0 < 1.21.11.21.1
envoyproxyenvoy>= 1.7.0 < 1.18.61.18.6
github.compomerium_pomerium>= 0 < 0.16.40.16.4

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa7.5HIGH
osv7.5HIGH
vendor_redhat7.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.