CVE-2024-23323 — Uncontrolled Resource Consumption in Envoy

CWE-400 — Uncontrolled Resource Consumption CWE-1176 — Inefficient CPU Computation2 documents2 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 94.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Envoyproxy Envoy

Timeline

PublishedFeb 9

Description

Envoy is a high-performance edge/middle/service proxy. The regex expression is compiled for every request and can result in high CPU usage and increased request latency when multiple routes are configured with such matchers. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5envoyproxy/envoy< 1.26.7+3

▶NVDenvoyproxy/envoy1.26.0 — 1.26.7+3

Patches

Patch: github.com ↗Patch: github.com ↗

📋Vendor Advisories

Red Hat

envoy: Excessive CPU usage when URI template matcher is configured using regex↗2024-02-09

▶