CVE-2024-53271Always-Incorrect Control Flow Implementation in Envoy

CWE-670Always-Incorrect Control Flow Implementation2 documents2 sources
Severity
7.1HIGHNVD
EPSS
0.0%
top 90.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Envoyproxy Envoy
Timeline
PublishedDec 18

Description

Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions envoy does not properly handle http 1.1 non-101 1xx responses. This can lead to downstream failures in networked devices. This issue has been addressed in versions 1.31.5 and 1.32.3. Users are advised to upgrade. There are no known workarounds for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:HExploitability: 2.8 | Impact: 4.2

Affected Packages2 packages

NVDenvoyproxy/envoy1.31.01.31.5+1
CVEListV5envoyproxy/envoy>= 1.31.0, < 1.31.5, >= 1.32.0, < 1.32.3+1

Patches

Patch: github.com

📋Vendor Advisories

1
Red Hat
envoy: HTTP/1.1 multiple issues with envoy.reloadable_features.http1_balsa_delay_reset in envoy2024-12-18