CVE-2024-23326Unchecked Error Condition in Envoy

CWE-391Unchecked Error ConditionCWE-444HTTP Request Smuggling2 documents2 sources
Severity
8.2HIGHNVD
EPSS
0.1%
top 76.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Envoyproxy Envoy
Timeline
PublishedJun 4

Description

Envoy is a cloud-native, open source edge and service proxy. A theoretical request smuggling vulnerability exists through Envoy if a server can be tricked into adding an upgrade header into a response. Per RFC https://www.rfc-editor.org/rfc/rfc7230#section-6.7 a server sends 101 when switching protocols. Envoy incorrectly accepts a 200 response from a server when requesting a protocol upgrade, but 200 does not indicate protocol switch. This opens up the possibility of request smuggling through E

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NExploitability: 3.9 | Impact: 4.2

Affected Packages2 packages

NVDenvoyproxy/envoy1.28.01.28.4+3
CVEListV5envoyproxy/envoy1.27.5+3

📋Vendor Advisories

1
Red Hat
envoy: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode2024-06-04