CVE-2024-39305

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.30.4 Envoy versions prior to 1.29.7 Envoy versions prior to 1.28.5 Envoy versions prior to 1.27.7

Description The issue is related to a use-after-free error in the Envoy proxy server module. Exploitation of this issue can allow a remote attacker to disclose protected information or cause a denial of service. The problem occurs when the route hash policy is configured with cookie attributes, causing Envoy to reference already freed memory. This can lead to arbitrary content of Envoy's memory being sent to the upstream service or abnormal process termination.

Recommendations For versions prior to 1.30.4, update to version 1.30.4 or later. For versions prior to 1.29.7, update to version 1.29.7 or later. For versions prior to 1.28.5, update to version 1.28.5 or later. For versions prior to 1.27.7, update to version 1.27.7 or later. As a temporary workaround, do not use cookie attributes in route action hash policy.