Envoyproxy Envoy vulnerabilities

CVE-2022-23606 [MEDIUM] CWE-674 CVE-2022-23606: Envoy is an open source edge and service proxy, designed for cloud-native applications. When a clust Envoy is an open source edge and service proxy, designed for cloud-native applications. When a cluster is deleted via Cluster Discovery Service (CDS) all idle connections established to endpoints in that cluster are disconnected. A recursion was introduced in the procedure of disconnecting idle connections that can lead to stack exhaustion and abnor

CVE-2022-21657 [MEDIUM] CWE-295 CVE-2022-21657: Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS server, to only those certificates that contain the necessary extendedKeyUsage (id-kp-serverAuth and id-kp-clientAuth, respectively). Thi

CVE-2022-21656 [MEDIUM] CWE-295 CVE-2022-21656: Envoy is an open source edge and service proxy, designed for cloud-native applications. The default_ Envoy is an open source edge and service proxy, designed for cloud-native applications. The default_validator.cc implementation used to implement the default certificate validation routines has a "type confusion" bug when processing subjectAltNames. This processing allows, for example, an rfc822Name or uniformResourceIndicator to be authenticated as

CVE-2021-39206 [HIGH] CVE-2021-39206: Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, contains Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, contains two authorization related vulnerabilities CVE-2021-32777 and CVE-2021-32779. This may lead to incorrect routing or authorization policy decisions. With specially crafted requests, incorrect authorization or routing decisions may be made by Pomerium. Pomerium v0.

CVE-2021-39204 [HIGH] CWE-834 CVE-2021-39204: Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrect Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset. This can result in a DoS condition. Pomerium versions 0.14.8 and 0.15.1 contain an upgraded envoy binary wi

CVE-2021-39162 [HIGH] CWE-754 CVE-2021-39162: Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnor Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted *upstream* servers. 0.15.1 contains an upgraded envoy binary with this vulnerability patched. If only trusted upst

CVE-2021-32779 [HIGH] CWE-551 CVE-2021-32779: Envoy is an open source L7 proxy and communication bus designed for large modern service oriented ar Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy incorrectly handled a URI '#fragment' element as part of the path element. Envoy is configured with an RBAC filter for authorization or similar mechanism with an explicit case of a final "/admin" path element, or

CVE-2021-32777 [HIGH] CWE-551 CVE-2021-32777: Envoy is an open source L7 proxy and communication bus designed for large modern service oriented ar Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HTTP spec. However, only the last header value is sent. This may allow spec

CVE-2021-32781 [HIGH] CWE-416 CVE-2021-32781: Envoy is an open source L7 proxy and communication bus designed for large modern service oriented ar Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions after Envoy sends a locally generated response it must stop further processing of request or response data. However when local response is generated due the internal buffer overflow while request or response is processe

CVE-2021-32778 [HIGH] CWE-834 CVE-2021-32778: Envoy is an open source L7 proxy and communication bus designed for large modern service oriented ar Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy’s procedure for resetting a HTTP/2 stream has O(N^2) complexity, leading to high CPU utilization when a large number of streams are reset. Deployments are susceptible to Denial of Service when Envoy is configured

CVE-2021-32780 [HIGH] CWE-754 CVE-2021-32780: Envoy is an open source L7 proxy and communication bus designed for large modern service oriented ar Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions Envoy transitions a H/2 connection to the CLOSED state when it receives a GOAWAY frame without any streams outstanding. The connection state is transitioned to DRAINING when it receives a SETTING frame with the SETTINGS

CVE-2021-29492 [HIGH] CWE-22 CVE-2021-29492: Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2 Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control, e.g. a block on `/admin`. A backend server could then decode slash sequences

CVE-2021-28683 [HIGH] CWE-476 CVE-2021-28683: An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable NULL pointer derefe An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable NULL pointer dereference and crash in TLS when an unknown TLS alert code is received.

CVE-2021-28682 [HIGH] CWE-190 CVE-2021-28682: An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable integer overflow in An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable integer overflow in which a very large grpc-timeout value leads to unexpected timeout calculations.

CVE-2021-29258 [HIGH] CWE-617 CVE-2021-29258: An issue was discovered in Envoy 1.14.0. There is a remotely exploitable crash for HTTP2 Metadata, b An issue was discovered in Envoy 1.14.0. There is a remotely exploitable crash for HTTP2 Metadata, because an empty METADATA map triggers a Reachable Assertion.

CVE-2021-21378 [HIGH] CWE-287 CVE-2021-21378: Envoy is a cloud-native high-performance edge/middle/service proxy. In Envoy version 1.17.0 an attac Envoy is a cloud-native high-performance edge/middle/service proxy. In Envoy version 1.17.0 an attacker can bypass authentication by presenting a JWT token with an issuer that is not in the provider list when Envoy's JWT Authentication filter is configured with the `allow_missing` requirement under `requires_any` due to a mistake in implementation. En

CVE-2020-35470 [HIGH] CVE-2020-35470: Envoy before 1.16.1 logs an incorrect downstream address because it considers only the directly conn Envoy before 1.16.1 logs an incorrect downstream address because it considers only the directly connected peer, not the information in the proxy protocol header. This affects situations with tcp-proxy as the network filter (not HTTP filters).

CVE-2020-35471 [HIGH] CVE-2020-35471: Envoy before 1.16.1 mishandles dropped and truncated datagrams, as demonstrated by a segmentation fa Envoy before 1.16.1 mishandles dropped and truncated datagrams, as demonstrated by a segmentation fault for a UDP packet size larger than 1500.

CVE-2020-25017 [HIGH] CVE-2020-25017: Envoy through 1.15.0 only considers the first value when multiple header values are present for some Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header.

CVE-2020-25018 [HIGH] CVE-2020-25018: Envoy master between 2d69e30 and 3b5acb2 may fail to parse request URL that requires host canonicali Envoy master between 2d69e30 and 3b5acb2 may fail to parse request URL that requires host canonicalization.