cbcvebase.
CVE-2023-27491
published 2023-04-04

CVE-2023-27491: Envoy is an open source edge and service proxy designed for cloud-native applications. Compliant HTTP/1 service should reject malformed request lines. Prior to…

PriorityP352critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.87%
54.2th percentile
Envoy is an open source edge and service proxy designed for cloud-native applications. Compliant HTTP/1 service should reject malformed request lines. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, There is a possibility that non compliant HTTP/1 service may allow malformed requests, potentially leading to a bypass of security policies. This issue is fixed in versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9.

Affected

7 ranges
VendorProductVersion rangeFixed in
envoyproxyenvoy< 1.22.91.22.9
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy>= 1.23.0 < 1.23.61.23.6
envoyproxyenvoy>= 1.24.0 < 1.24.41.24.4
envoyproxyenvoy>= 1.25.0 < 1.25.31.25.3

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.