Envoy Security Vulnerabilities and Issues — Envoy CVE List

Lucene search

EnvoyproxyEnvoy

8 matches found

CVE•added 2019/12/13 1:15 p.m.•163 views

CVE-2019-18802

An issue was discovered in Envoy 1.12.0. An untrusted remote client may send an HTTP header (such as Host) with whitespace after the header content. Envoy will treat "header-value " as a different string from "header-value" so for example with the Host header "example.com " one could bypass "exampl...

9.8CVSS9.2AI score0.00045EPSS

CVE•added 2023/04/04 4:15 p.m.•148 views

CVE-2023-27487

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the client may bypass JSON Web Token (JWT) checks and forge fake original paths. The header x-envoy-original-path should be an internal header, but En...

9.1CVSS8.7AI score0.00024EPSS

CVE•added 2023/04/04 8:15 p.m.•147 views

CVE-2023-27493

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to...

9.1CVSS8.7AI score0.00011EPSS

CVE•added 2023/04/04 6:15 p.m.•144 views

CVE-2023-27488

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, escalation of privileges is possible when failure_mode_allow: true is configured for ext_authz filter. For affected components that are used for loggi...

9.8CVSS7.5AI score0.00027EPSS

CVE•added 2022/02/22 11:15 p.m.•140 views

CVE-2022-21654

Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised t...

9.8CVSS8.3AI score0.00057EPSS

CVE•added 2023/04/04 7:15 p.m.•138 views

CVE-2023-27491

Envoy is an open source edge and service proxy designed for cloud-native applications. Compliant HTTP/1 service should reject malformed request lines. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, There is a possibility that non compliant HTTP/1 service may allow malformed requests,...

9.1CVSS6.9AI score0.00017EPSS

CVE•added 2019/12/13 1:15 p.m.•70 views

CVE-2019-18801

An issue was discovered in Envoy 1.12.0. An untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1. This may be used to corrupt nearby heap contents (leading to a query-of-death scenario) or may be used to bypass Envoy's ac...

9.8CVSS9.3AI score0.00044EPSS

CVE•added 2023/07/25 6:15 p.m.•57 views

CVE-2023-35941

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios in...

9.8CVSS9AI score0.00042EPSS