Lucene search
GitHub_MCVELIST:CVE-2023-27493HistoryApr 04, 2023 - 7:46 p.m.
CVE-2023-27493 Envoy doesn't escape HTTP header values
2023-04-0419:46:57
CWE-20
GitHub_M
raw.githubusercontent.com
1
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case, it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoyβs security policy. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. As a workaround, disable adding request headers based on the downstream request properties, such as downstream certificate properties.
Related
prion
prion
Cross site request forgery (csrf)
2023-04-04 20:15:00
wolfi
wolfi
CVE-2023-27493 vulnerabilities
2024-02-28 01:49:02
redhatcve
redhatcve
CVE-2023-27493
2023-04-05 12:13:36
osv
osv
CVE-2023-27493
2023-04-04 20:15:07
BIT-envoy-2023-27493
2024-03-06 10:53:47
cve
cve
CVE-2023-27493
2023-04-04 20:15:07
cgr
cgr
CVE-2023-27493 vulnerabilities
2024-02-27 23:19:47
oraclelinux
oraclelinux
istio security update
2023-06-02 00:00:00
istio security update
2023-06-02 00:00:00
olcne security update
2023-06-02 00:00:00
nessus
nessus
Amazon Linux 2 : ecs-service-connect-agent (ALASECS-2023-003)
2023-07-14 00:00:00
Amazon Linux 2023 : ecs-service-connect-agent (ALAS2023-2023-165)
2023-05-03 00:00:00
Oracle Linux 7 : olcne (ELSA-2023-23649)
2023-05-26 00:00:00
redhat
redhat