PT-2023-21167 · Envoy · Envoy
Cancecen
+1
·
Published
2023-04-04
·
Updated
2024-03-06
·
CVE-2023-27491
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Envoy versions prior to 1.26.0
Envoy versions prior to 1.25.3
Envoy versions prior to 1.24.4
Envoy versions prior to 1.23.6
Envoy versions prior to 1.22.9
Description
Envoy is an open source edge and service proxy designed for cloud-native applications. Compliant HTTP/1 service should reject malformed request lines. Prior to the fixed versions, there is a possibility that non-compliant HTTP/1 service may allow malformed requests, potentially leading to a bypass of security policies.
Recommendations
For versions prior to 1.26.0, update to version 1.26.0 or later.
For versions prior to 1.25.3, update to version 1.25.3 or later.
For versions prior to 1.24.4, update to version 1.24.4 or later.
For versions prior to 1.23.6, update to version 1.23.6 or later.
For versions prior to 1.22.9, update to version 1.22.9 or later.
Exploit
Fix
HTTP Request/Response Smuggling
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Envoy