CVE-2019-18838

An issue was discovered in Envoy 1.12.0. Upon receipt of a malformed HTTP request without a Host header, it sends an internally generated "Invalid request" response. This internally generated response is dispatched through the configured encoder filter chain before being sent to the client. An encoder filter that invokes route manager APIs that access a request's Host header causes a NULL pointer dereference, resulting in abnormal termination of the Envoy process.
Configurations

Configuration 1 (hide)

cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:33

Type Values Removed Values Added
References () https://blog.envoyproxy.io - Product () https://blog.envoyproxy.io - Product
References () https://github.com/envoyproxy/envoy/commits/master - Patch () https://github.com/envoyproxy/envoy/commits/master - Patch
References () https://github.com/envoyproxy/envoy/security/advisories/GHSA-f2rv-4w6x-rwhc - Exploit, Third Party Advisory () https://github.com/envoyproxy/envoy/security/advisories/GHSA-f2rv-4w6x-rwhc - Exploit, Third Party Advisory
References () https://groups.google.com/forum/#%21forum/envoy-users - () https://groups.google.com/forum/#%21forum/envoy-users -

Information

Published : 2019-12-13 13:15

Updated : 2024-11-21 04:33


NVD link : CVE-2019-18838

Mitre link : CVE-2019-18838

CVE.ORG link : CVE-2019-18838


JSON object : View

Products Affected

envoyproxy

  • envoy
CWE
CWE-476

NULL Pointer Dereference