CVE-2023-27487Improper Input Validation in Envoy

CWE-20Improper Input Validation3 documents3 sources
Severity
9.1CRITICALNVD
EPSS
0.0%
top 94.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Envoyproxy Envoy
Timeline
PublishedApr 4
Latest updateSep 20

Description

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the client may bypass JSON Web Token (JWT) checks and forge fake original paths. The header `x-envoy-original-path` should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client. The faked header would then be used for trace logs and grpc logs, as

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

NVDenvoyproxy/envoy1.23.01.23.6+3
CVEListV5envoyproxy/envoy>= 1.23.0, < 1.23.6, >= 1.24.0, < 1.24.4, >= 1.25.0, <1.25.3+2

🔴Vulnerability Details

1
GHSA
GHSA-qc32-2j82-w5h3: A flaw was found in Envoy2024-09-20

📋Vendor Advisories

1
Red Hat
envoy: Client may fake the header `x-envoy-original-path`2023-04-04
CVE-2023-27487 — Improper Input Validation in Envoy | cvebase