CVE-2023-35941Improper Encoding or Escaping of Output in Envoy

CWE-116Improper Encoding or Escaping of OutputCWE-303Incorrect Implementation of Authentication Algorithm2 documents2 sources
Severity
9.8CRITICALNVD
EPSS
0.1%
top 81.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Envoyproxy Envoy
Timeline
PublishedJul 25

Description

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios in which HMAC payload can be always valid in OAuth2 filter's check. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, avoid wildcards/prefix domain wildcar

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5envoyproxy/envoy< 1.23.12+3
NVDenvoyproxy/envoy1.23.01.23.12+3

📋Vendor Advisories

1
Red Hat
envoy: OAuth2 credentials exploit with permanent validity2023-07-25
CVE-2023-35941 — Envoyproxy Envoy vulnerability | cvebase