CVE-2024-45806

Name of the Vulnerable Software and Affected Versions: Envoy versions prior to 1.28.7 Envoy versions prior to 1.29.9 Envoy versions prior to 1.30.6 Envoy versions prior to 1.31.2

Description: A security issue in Envoy allows external clients to manipulate Envoy headers, potentially leading to unauthorized access or other malicious actions within the mesh. This issue arises due to Envoy's default configuration of internal trust boundaries, which considers all RFC1918 private address ranges as internal. The default behavior for handling internal addresses in Envoy has been changed. Successful exploitation could allow attackers to bypass security controls, access sensitive data, or disrupt services within the mesh, like Istio.

Recommendations: For versions prior to 1.28.7, upgrade to version 1.28.7 or later. For versions prior to 1.29.9, upgrade to version 1.29.9 or later. For versions prior to 1.30.6, upgrade to version 1.30.6 or later. For versions prior to 1.31.2, upgrade to version 1.31.2 or later. As a temporary workaround, consider explicitly including trusted addresses or CIDR ranges into internal address config to minimize the risk of exploitation.