Envoyproxy Envoy vulnerabilities

CVE-2023-35943 [HIGH] CWE-416 CVE-2023-35943: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to vers Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, the CORS filter will segfault and crash Envoy when the `origin` header is removed and deleted between `decodeHeaders`and `encodeHeaders`. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix

CVE-2023-35942 [MEDIUM] CWE-416 CVE-2023-35942: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to vers Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, gRPC access loggers using listener's global scope can cause a `use-after-free` crash when the listener is drained. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a

CVE-2023-35944 [MEDIUM] CWE-20 CVE-2023-35944: Envoy is an open source edge and service proxy designed for cloud-native applications. Envoy allows Envoy is an open source edge and service proxy designed for cloud-native applications. Envoy allows mixed-case schemes in HTTP/2, however, some internal scheme checks are case-sensitive. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, this can lead to the rejection of requests with mixed-case schemes such as `htTp` or `htTps`, or the b

CVE-2023-35945 [HIGH] CWE-400 CVE-2023-35945: Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping str

CVE-2023-27493 [CRITICAL] CWE-20 CVE-2023-27493: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to vers Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case

CVE-2023-27491 [CRITICAL] CWE-20 CVE-2023-27491: Envoy is an open source edge and service proxy designed for cloud-native applications. Compliant HTT Envoy is an open source edge and service proxy designed for cloud-native applications. Compliant HTTP/1 service should reject malformed request lines. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, There is a possibility that non compliant HTTP/1 service may allow malformed requests, potentially leading to a bypass of security polici

CVE-2023-27487 [CRITICAL] CWE-20 CVE-2023-27487: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to vers Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the client may bypass JSON Web Token (JWT) checks and forge fake original paths. The header `x-envoy-original-path` should be an internal header, but Envoy does not remove this header from the request

CVE-2023-27488 [CRITICAL] CWE-20 CVE-2023-27488: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to vers Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, escalation of privileges is possible when `failure_mode_allow: true` is configured for `ext_authz` filter. For affected components that are used for logging and/or visibility, requests may not be logge

CVE-2023-27496 [HIGH] CWE-20 CVE-2023-27496: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to vers Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the OAuth filter assumes that a `state` query param is present on any response that looks like an OAuth redirect response. Sending it a request with the URI path equivalent to the redirect path, without th

CVE-2023-27492 [MEDIUM] CWE-770 CVE-2023-27492: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to vers Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the Lua filter is vulnerable to denial of service. Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes. As of versions versions 1.26.0, 1.25.3, 1.24.4, 1

CVE-2022-29226 [CRITICAL] CWE-306 CVE-2022-29226: Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter impleme Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validate

CVE-2022-29225 [HIGH] CWE-400 CVE-2022-29225: Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload. Maliciously constructed zip files may exhaust syst

CVE-2022-29228 [HIGH] CWE-617 CVE-2022-29228: Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter would t Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions. continueDecoding() shouldn’t ever be called from filters after a local reply has been

CVE-2022-29227 [HIGH] CWE-416 CVE-2022-29227: Envoy is a cloud-native high-performance edge/middle/service proxy. In versions prior to 1.22.1 if E Envoy is a cloud-native high-performance edge/middle/service proxy. In versions prior to 1.22.1 if Envoy attempts to send an internal redirect of an HTTP request consisting of more than HTTP headers, there’s a lifetime bug which can be triggered. If while replaying the request Envoy sends a local reply when the redirect headers are processed, the down

CVE-2022-29224 [MEDIUM] CWE-476 CVE-2022-29224: Envoy is a cloud-native high-performance proxy. Versions of envoy prior to 1.22.1 are subject to a s Envoy is a cloud-native high-performance proxy. Versions of envoy prior to 1.22.1 are subject to a segmentation fault in the GrpcHealthCheckerImpl. Envoy can perform various types of upstream health checking. One of them uses gRPC. Envoy also has a feature which can “hold” (prevent removal) upstream hosts obtained via service discovery until configu

CVE-2022-21654 [CRITICAL] CWE-295 CVE-2022-21654: Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade.

CVE-2021-43825 [HIGH] CWE-416 CVE-2021-43825: Envoy is an open source edge and service proxy, designed for cloud-native applications. Sending a lo Envoy is an open source edge and service proxy, designed for cloud-native applications. Sending a locally generated response must stop further processing of request or response data. Envoy tracks the amount of buffered request and response data and aborts the request if the amount of buffered data is over the limit by sending 413 or 500 responses. How

CVE-2021-43824 [HIGH] CWE-476 CVE-2021-43824: Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions a crafted request crashes Envoy when a CONNECT request is sent to JWT filter configured with regex match. This provides a denial of service attack vector. The only workaround is to not use regex in the JWT filter. Users are advised to upgrade.

CVE-2021-43826 [HIGH] CWE-416 CVE-2021-43826: Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions of Envoy a crash occurs when configured for :ref:`upstream tunneling ` and the downstream connection disconnects while the the upstream connection or http/2 stream is still being established. There are no workarounds for this issue. Users are ad

CVE-2022-21655 [HIGH] CWE-670 CVE-2022-21655: Envoy is an open source edge and service proxy, designed for cloud-native applications. The envoy co Envoy is an open source edge and service proxy, designed for cloud-native applications. The envoy common router will segfault if an internal redirect selects a route configured with direct response or redirect actions. This will result in a denial of service. As a workaround turn off internal redirects if direct response entries are configured on the