CVE-2023-35945

2023-07-1321:15:08

Google

osv.dev

envoy

cloud-native

memory leak

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

22.9%

JSON

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving RST_STREAM immediately followed by the GOAWAY frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the GOAWAY frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to GOAWAY frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.

CPENameOperatorVersion
nghttp2eq1.33.0-r0
nghttp2eq1.50.0-r1
envoyeq1.36.0
envoyeq1.33.0
nghttp2eq1.16.0-r0
nghttp2eq1.9.2-r0
nghttp2eq1.5.0-r0
envoyeq1.43.0
nghttp2eq1.7.0-r0
nghttp2eq1.38.0-r0

Name	Operator	Version
nghttp2	eq	1.33.0-r0
nghttp2	eq	1.50.0-r1
envoy	eq	1.36.0
envoy	eq	1.33.0
nghttp2	eq	1.16.0-r0
nghttp2	eq	1.9.2-r0
nghttp2	eq	1.5.0-r0
envoy	eq	1.43.0
nghttp2	eq	1.7.0-r0
nghttp2	eq	1.38.0-r0