Lucene search

Redhat.comRH:CVE-2024-32475

HistoryApr 20, 2024 - 5:42 p.m.

CVE-2024-32475

2024-04-2017:42:39

redhat.com

access.redhat.com

cve-2024-32475

envoy

tls

denial of service

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

A flaw was found in Envoy, a cloud-native, open source edge and service proxy. When an upstream TLS cluster is used with “auto_sni” enabled, a request containing a “host/:authority” header longer than 255 characters triggers an abnormal termination of the Envoy process, leading to a denial of service.

References

bugzilla.redhat.com/show_bug.cgi?id=2276149

github.com/envoyproxy/envoy/commit/b47fc6648d7c2dfe0093a601d44cb704b7bad382

github.com/envoyproxy/envoy/security/advisories/GHSA-3mh5-6q8v-25wj

nvd.nist.gov/vuln/detail/CVE-2024-32475

www.cve.org/CVERecord?id=CVE-2024-32475

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for RH:CVE-2024-32475