Lucene search
GoogleOSV:CVE-2023-35944HistoryJul 25, 2023 - 7:15 p.m.
CVE-2023-35944
2023-07-2519:15:11
Google
osv.dev
4
envoy
http/2
scheme rejection
request bypass
security vulnerability
cloud-native
open source
Envoy is an open source edge and service proxy designed for cloud-native applications. Envoy allows mixed-case schemes in HTTP/2, however, some internal scheme checks are case-sensitive. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, this can lead to the rejection of requests with mixed-case schemes such as htTp or htTps, or the bypassing of some requests such as https in unencrypted connections. With a fix in versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, Envoy will now lowercase scheme values by default, and change the internal scheme checks that were case-sensitive to be case-insensitive. There are no known workarounds for this issue.
Related
cve
cve
CVE-2023-35944
2023-07-25 19:15:11
redhatcve
redhatcve
CVE-2023-35944
2023-07-26 16:47:36
cvelist
cvelist
veracode
veracode
Authentication Bypass
2023-07-27 09:42:47
osv
osv
BIT-envoy-2023-35944
2024-03-06 10:52:47
prion
prion
Design/Logic Flaw
2023-07-25 19:15:00
nvd
nvd
CVE-2023-35944
2023-07-25 19:15:11
oraclelinux
oraclelinux
olcne security update
2023-09-11 00:00:00
istio security update
2023-09-08 00:00:00
istio security update
2023-09-08 00:00:00
nessus
nessus
Oracle Linux 9 : istio (ELSA-2023-12771)
2023-09-18 00:00:00
Oracle Linux 8 : olcne (ELSA-2023-12772)
2023-09-11 00:00:00
Oracle Linux 7 : istio (ELSA-2023-12781)
2023-09-08 00:00:00
redhat
redhat