cbcvebase.
CVE-2023-27487
published 2023-04-04

CVE-2023-27487: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the client…

PriorityP352critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.64%
45.9th percentile
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the client may bypass JSON Web Token (JWT) checks and forge fake original paths. The header `x-envoy-original-path` should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client. The faked header would then be used for trace logs and grpc logs, as well as used in the URL used for `jwt_authn` checks if the `jwt_authn` filter is used, and any other upstream use of the x-envoy-original-path header. Attackers may forge a trusted `x-envoy-original-path` header. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 have patches for this issue.

Affected

7 ranges
VendorProductVersion rangeFixed in
envoyproxyenvoy< 1.22.91.22.9
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy>= 1.23.0 < 1.23.61.23.6
envoyproxyenvoy>= 1.24.0 < 1.24.41.24.4
envoyproxyenvoy>= 1.25.0 < 1.25.31.25.3

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.