PT-2019-15674 · Envoy+1 · Envoy+1

Alyssa Wilk

Publicado

2019-12-13

Atualizado

2024-11-13

CVE-2019-18802

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Envoy version 1.12.0

Description An issue was discovered where an untrusted remote client can send an HTTP header, such as the Host header, with whitespace after the header content. This allows the client to bypass matchers, for example, by sending a Host header with a value of "example.com " to bypass an "example.com" matcher.

Recommendations For Envoy version 1.12.0, as a temporary workaround, consider restricting the use of HTTP headers with whitespace after the header content until a patch is available.

Exploit

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Identificadores relacionados

CVE-2019-18802

GHSA-356M-VHW2-WCM4

MGASA-2020-0147

OPENSUSE-SU-2020:0379-1

OPENSUSE-SU-2020_0379-1

OPENSUSE-SU-2021:0341-1

OPENSUSE-SU-2021_0341-1

OPENSUSE-SU-2024:14491-1

RHSA-2019:4222

SUSE-SU-2020:0722-1

SUSE-SU-2020_0722-1

Produtos afetados

Envoy

Suse

PT-2019-15674 · Envoy+1 · Envoy+1

CVE-2019-18802

Identificadores relacionados

Produtos afetados

Referências · 23