Envoy@* Security Vulnerabilities and Issues — Envoy@* CVE List

Lucene search

EnvoyproxyEnvoy*

10 matches found

CVE•added 2024/04/04 8:15 p.m.•110 views

CVE-2024-30255

Envoy is a cloud-native, open source edge and service proxy. The HTTP/2 protocol stack in Envoy versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8 are vulnerable to CPU exhaustion due to flood of CONTINUATION frames. Envoy's HTTP/2 codec allows the client to send an unlimited number of CONTINUATI...

7.5CVSS5.5AI score0.90992EPSS

CVE•added 2024/09/20 12:15 a.m.•99 views

CVE-2024-45810

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy will crash when the http async client is handling sendLocalReply under some circumstance, e.g., websocket upgrade, and requests mirroring. The http async client will crash during the sendLocalReply() in http async client, one...

7.5CVSS7AI score0.00046EPSS

CVE•added 2024/09/20 12:15 a.m.•90 views

CVE-2024-45806

Envoy is a cloud-native high-performance edge/middle/service proxy. A security vulnerability in Envoy allows external clients to manipulate Envoy headers, potentially leading to unauthorized access or other malicious actions within the mesh. This issue arises due to Envoy's default configuration of...

6.5CVSS6.8AI score0.00331EPSS

CVE•added 2024/12/18 8:15 p.m.•77 views

CVE-2024-53270

Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions sendOverloadError is going to assume the active request exists when envoy.load_shed_points.http1_server_abort_dispatch is configured. If active_request is nullptr, only onMessageBeginImpl() is called. However, ...

7.5CVSS7.4AI score0.00011EPSS

CVE•added 2024/06/04 9:15 p.m.•58 views

CVE-2024-23326

Envoy is a cloud-native, open source edge and service proxy. A theoretical request smuggling vulnerability exists through Envoy if a server can be tricked into adding an upgrade header into a response. Per RFC https://www.rfc-editor.org/rfc/rfc7230#section-6.7 a server sends 101 when switching prot...

8.2CVSS6.6AI score0.00043EPSS

CVE•added 2024/09/20 12:15 a.m.•58 views

CVE-2024-45808

Envoy is a cloud-native high-performance edge/middle/service proxy. A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs. This is achieved by exploiting the lack of validation for the REQUESTED_SERVER_NAME field for access logger...

6.5CVSS6.7AI score0.00027EPSS

CVE•added 2024/06/04 9:15 p.m.•50 views

CVE-2024-34364

Envoy is a cloud-native, open source edge and service proxy. Envoy exposed an out-of-memory (OOM) vector from the mirror response, since async HTTP client will buffer the response with an unbounded buffer.

6.5CVSS6.3AI score0.00023EPSS

CVE•added 2024/06/04 9:15 p.m.•30 views

CVE-2024-32974

Envoy is a cloud-native, open source edge and service proxy. A crash was observed in EnvoyQuicServerStream::OnInitialHeadersComplete() with following call stack. It is a use-after-free caused by QUICHE continuing push request headers after StopReading() being called on the stream. As after StopRead...

7.5CVSS6.6AI score0.00024EPSS

CVE•added 2024/06/04 9:15 p.m.•24 views

CVE-2024-32975

Envoy is a cloud-native, open source edge and service proxy. There is a crash at QuicheDataReader::PeekVarInt62Length(). It is caused by integer underflow in the QuicStreamSequencerBuffer::PeekRegion() implementation.

7.5CVSS6.5AI score0.00028EPSS

CVE•added 2024/06/04 9:15 p.m.•20 views

CVE-2024-34362

Envoy is a cloud-native, open source edge and service proxy. There is a use-after-free in HttpConnectionManager (HCM) with EnvoyQuicServerStream that can crash Envoy. An attacker can exploit this vulnerability by sending a request without FIN, then a RESET_STREAM frame, and then after receiving the...

5.9CVSS6AI score0.00018EPSS