Envoy@1.26.0 Security Vulnerabilities and Issues — Envoy@1.26.0 CVE List

Lucene search

EnvoyproxyEnvoy1.26.0

10 matches found

CVE•added 2023/07/25 7:15 p.m.•2516 views

CVE-2023-35942

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, gRPC access loggers using listener's global scope can cause a use-after-free crash when the listener is drained. Versions 1.27.0, 1.26.4, 1.25.9, 1....

6.5CVSS7.8AI score0.00019EPSS

CVE•added 2023/07/13 9:15 p.m.•222 views

CVE-2023-35945

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving RST_STREAM immediately followed by the GOAWAY frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the GOAWAY...

7.5CVSS7.4AI score0.00128EPSS

CVE•added 2024/02/09 11:15 p.m.•211 views

CVE-2024-23322

Envoy is a high-performance edge/middle/service proxy. Envoy will crash when certain timeouts happen within the same interval. The crash occurs when the following are true: 1. hedge_on_per_try_timeout is enabled, 2. per_try_idle_timeout is enabled (it can only be done in configuration), 3. per-try-...

7.5CVSS7.3AI score0.0006EPSS

CVE•added 2023/07/25 7:15 p.m.•133 views

CVE-2023-35943

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, the CORS filter will segfault and crash Envoy when the origin header is removed and deleted between decodeHeadersand encodeHeaders. Versions 1.27.0,...

7.5CVSS7.6AI score0.00009EPSS

CVE•added 2024/02/09 11:15 p.m.•90 views

CVE-2024-23324

Envoy is a high-performance edge/middle/service proxy. External authentication can be bypassed by downstream connections. Downstream clients can force invalid gRPC requests to be sent to ext_authz, circumventing ext_authz checks when failure_mode_allow is set to true. This issue has been addressed ...

8.6CVSS7.4AI score0.00021EPSS

CVE•added 2024/02/09 11:15 p.m.•70 views

CVE-2024-23327

Envoy is a high-performance edge/middle/service proxy. When PPv2 is enabled both on a listener and subsequent cluster, the Envoy instance will segfault when attempting to craft the upstream PPv2 header. This occurs when the downstream request has a command type of LOCAL and does not have the protoc...

7.5CVSS7.4AI score0.00144EPSS

CVE•added 2023/07/25 7:15 p.m.•62 views

CVE-2023-35944

Envoy is an open source edge and service proxy designed for cloud-native applications. Envoy allows mixed-case schemes in HTTP/2, however, some internal scheme checks are case-sensitive. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, this can lead to the rejection of requests with ...

8.2CVSS7.1AI score0.00008EPSS

CVE•added 2023/07/25 6:15 p.m.•61 views

CVE-2023-35941

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios in...

9.8CVSS9AI score0.0005EPSS

CVE•added 2024/02/09 11:15 p.m.•53 views

CVE-2024-23325

Envoy is a high-performance edge/middle/service proxy. Envoy crashes in Proxy protocol when using an address type that isn’t supported by the OS. Envoy is susceptible to crashing on a host with IPv6 disabled and a listener config with proxy protocol enabled when it receives a request where the clie...

7.5CVSS7.3AI score0.00042EPSS

CVE•added 2024/02/09 11:15 p.m.•43 views

CVE-2024-23323

Envoy is a high-performance edge/middle/service proxy. The regex expression is compiled for every request and can result in high CPU usage and increased request latency when multiple routes are configured with such matchers. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26...

5.3CVSS5AI score0.00011EPSS