CVE-2024-23322

2024-02-1318:09:36

redhat.com

access.redhat.com

111

envoy

proxy

crash

timeouts

configuration

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.1

Confidence

Low

EPSS

0.001

Percentile

17.0%

JSON

A flaw was found in the Envoy proxy. Envoy will crash when certain timeouts happen within the same interval. The crash occurs when hedge_on_per_try_timeout is enabled, per_try_idle_timeout is enabled (it can only be done in configuration), and per-try-timeout is enabled, either through headers or configuration and its value is equal or within the backoff interval of the per_try_idle_timeout.