CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
17.0%
Envoy is a high-performance edge/middle/service proxy. Envoy will crash when certain timeouts happen within the same interval. The crash occurs when the following are true: 1. hedge_on_per_try_timeout is enabled, 2. per_try_idle_timeout is enabled (it can only be done in configuration), 3. per-try-timeout is enabled, either through headers or configuration and its value is equal, or within the backoff interval of the per_try_idle_timeout. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Vendor | Product | Version | CPE |
---|---|---|---|
envoyproxy | envoy | * | cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* |
[
{
"vendor": "envoyproxy",
"product": "envoy",
"versions": [
{
"version": ">= 1.29.0, < 1.29.1",
"status": "affected"
},
{
"version": ">= 1.28.0, < 1.28.1",
"status": "affected"
},
{
"version": ">= 1.27.0, < 1.27.3",
"status": "affected"
},
{
"version": "< 1.26.7",
"status": "affected"
}
]
}
]