CVE-2023-35943

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.27.0 Envoy versions prior to 1.26.4 Envoy versions prior to 1.25.9 Envoy versions prior to 1.24.10 Envoy versions prior to 1.23.12

Description The issue is related to a use-after-free error in the HTTP CORS filter of the Envoy proxy server. This can be exploited by a remote attacker to perform a denial-of-service (DoS) attack when the origin header is removed between decodeHeaders and encodeHeaders operations.

Recommendations For versions prior to 1.27.0, update to version 1.27.0 or later. For versions prior to 1.26.4, update to version 1.26.4 or later. For versions prior to 1.25.9, update to version 1.25.9 or later. For versions prior to 1.24.10, update to version 1.24.10 or later. For versions prior to 1.23.12, update to version 1.23.12 or later. As a temporary workaround, do not remove the origin header in the Envoy configuration.