CVE-2024-53270
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions sendOverloadError is going to assume the active request exists when envoy.load_shed_points.http1_server_abort_dispatch is configured. If active_request is nullptr, only onMessageBeginImpl() is called. However, the onMessageBeginImpl will directly return ok status if the stream is already reset leading to the nullptr reference. The downstream reset can actually happen during the H/2 upstream reset. As a result envoy may crash. This issue has been addressed in releases 1.32.3, 1.31.5, 1.30.9, and 1.29.12. Users are advised to upgrade. Users unable to upgrade may disable http1_server_abort_dispatch load shed point and/or use a high threshold.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| envoyproxy | envoy | >= 1.32.0, < 1.32.3 | affected |
| envoyproxy | envoy | >= 1.31.0, < 1.31.5 | affected |
| envoyproxy | envoy | >= 1.30.0, < 1.30.9 | affected |
| envoyproxy | envoy | < 1.29.12 | affected |
Weaknesses
- CWE-670: CWE-670: Always-Incorrect Control Flow Implementation
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-q9qv-8j52-77p3
- https://github.com/envoyproxy/envoy/pull/37743/commits/6cf8afda956ba67c9afad185b962325a5242ef02
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.