CVE-2022-29227 — Use After Free in Envoy

CWE-416 — Use After Free2 documents2 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 37.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Envoyproxy Envoy

Timeline

PublishedJun 9

Description

Envoy is a cloud-native high-performance edge/middle/service proxy. In versions prior to 1.22.1 if Envoy attempts to send an internal redirect of an HTTP request consisting of more than HTTP headers, there’s a lifetime bug which can be triggered. If while replaying the request Envoy sends a local reply when the redirect headers are processed, the downstream state indicates that the downstream stream is not complete. On sending the local reply, Envoy will attempt to reset the upstream stream, but…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶NVDenvoyproxy/envoy< 1.22.1

Patches

Patch: github.com ↗Patch: github.com ↗

📋Vendor Advisories

Red Hat

envoy: Internal redirect crash for requests with body/trailers↗2022-06-09

▶