An issue was discovered in Envoy 1.12.0. Upon receipt of a malformed HTTP request without a Host header, it sends an internally generated "Invalid request" response. This internally generated response is dispatched through the configured encoder filter chain before being sent to the client. An encoder filter that invokes route manager APIs that access a request's Host header causes a NULL pointer dereference, resulting in abnormal termination of the Envoy process.
References
Link | Resource |
---|---|
https://blog.envoyproxy.io | Product |
https://github.com/envoyproxy/envoy/commits/master | Patch |
https://github.com/envoyproxy/envoy/security/advisories/GHSA-f2rv-4w6x-rwhc | Exploit Third Party Advisory |
https://groups.google.com/forum/#%21forum/envoy-users | |
https://blog.envoyproxy.io | Product |
https://github.com/envoyproxy/envoy/commits/master | Patch |
https://github.com/envoyproxy/envoy/security/advisories/GHSA-f2rv-4w6x-rwhc | Exploit Third Party Advisory |
https://groups.google.com/forum/#%21forum/envoy-users |
Configurations
History
21 Nov 2024, 04:33
Type | Values Removed | Values Added |
---|---|---|
References | () https://blog.envoyproxy.io - Product | |
References | () https://github.com/envoyproxy/envoy/commits/master - Patch | |
References | () https://github.com/envoyproxy/envoy/security/advisories/GHSA-f2rv-4w6x-rwhc - Exploit, Third Party Advisory | |
References | () https://groups.google.com/forum/#%21forum/envoy-users - |
Information
Published : 2019-12-13 13:15
Updated : 2024-11-21 04:33
NVD link : CVE-2019-18838
Mitre link : CVE-2019-18838
CVE.ORG link : CVE-2019-18838
JSON object : View
Products Affected
envoyproxy
- envoy
CWE
CWE-476
NULL Pointer Dereference