CVE-2024-23326

Name of the Vulnerable Software and Affected Versions Envoy (affected versions not specified)

Description A theoretical request smuggling issue exists in Envoy, a cloud-native, open source edge and service proxy. This occurs when a server is tricked into adding an upgrade header into a response. According to RFC 7230, a server sends a 101 response when switching protocols, but Envoy incorrectly accepts a 200 response from a server when requesting a protocol upgrade. This allows for the possibility of request smuggling through Envoy if the server can be tricked into adding the upgrade header to the response. The issue can be exploited by convincing Envoy that a TCP connection was successfully upgraded to WebSocket, which can be done by setting the upgrade and connection parameters to websockets and upgrade, respectively. After this, all requests sent to endpoints restricted by AuthorizationPolicy will pass successfully.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.