CVE-2023-35944

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.27.0 Envoy versions prior to 1.26.4 Envoy versions prior to 1.25.9 Envoy versions prior to 1.24.10 Envoy versions prior to 1.23.12

Description The issue is related to the handling of mixed-case schemes in HTTP/2 by Envoy, an open source edge and service proxy. Some internal scheme checks are case-sensitive, which can lead to the rejection of requests with mixed-case schemes, such as htTp or htTps, or the bypassing of some requests, like https in unencrypted connections. This can potentially allow a remote attacker to access protected data.

Recommendations For versions prior to 1.27.0, update to version 1.27.0 or later. For versions prior to 1.26.4, update to version 1.26.4 or later. For versions prior to 1.25.9, update to version 1.25.9 or later. For versions prior to 1.24.10, update to version 1.24.10 or later. For versions prior to 1.23.12, update to version 1.23.12 or later.