CVE-2024-45808

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: Envoy versions prior to 1.28.7 Envoy versions prior to 1.29.9 Envoy versions prior to 1.30.6 Envoy versions prior to 1.31.2

Description: A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs. This is achieved by exploiting the lack of validation for the REQUESTED SERVER NAME field for access loggers.

Recommendations: For versions prior to 1.28.7, upgrade to version 1.28.7 or later. For versions prior to 1.29.9, upgrade to version 1.29.9 or later. For versions prior to 1.30.6, upgrade to version 1.30.6 or later. For versions prior to 1.31.2, upgrade to version 1.31.2 or later.

Exploit

Fix

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-116CWE-117

Related Identifiers

BIT-ENVOY-2024-45808

CVE-2024-45808

GHSA-P222-XHP9-39RC

Affected Products

Envoy

CVE-2024-45808

Weakness Enumeration

Related Identifiers

Affected Products

References · 10