CVE-2023-35941

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.27.0 Envoy versions prior to 1.26.4 Envoy versions prior to 1.25.9 Envoy versions prior to 1.24.10 Envoy versions prior to 1.23.12

Description The issue is related to a lack of output encoding or escaping mechanism in the Envoy proxy server. This allows a remote attacker to impact the confidentiality, integrity, and availability of protected information. A malicious client can construct credentials with permanent validity in specific scenarios due to a rare issue in the OAuth2 filter's check, where the HMAC payload can always be valid.

Recommendations For versions prior to 1.27.0, update to version 1.27.0 or later. For versions prior to 1.26.4, update to version 1.26.4 or later. For versions prior to 1.25.9, update to version 1.25.9 or later. For versions prior to 1.24.10, update to version 1.24.10 or later. For versions prior to 1.23.12, update to version 1.23.12 or later. As a temporary workaround, avoid using wildcards or prefix domain wildcards in the host's domain configuration.