CVE-2024-45808

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-45808
Envoy is a cloud-native high-performance edge/middle/service proxy. A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs. This is achieved by exploiting the lack of validation for the `REQUESTED_SERVER_NAME` field for access loggers. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/envoyproxy/envoy/security/advisories/GHSA-p222-xhp9-39rc Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
History

25 Sep 2024, 17:18

Type Values Removed Values Added
First Time Envoyproxy
Envoyproxy envoy
CPE cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
CWE CWE-116
References () https://github.com/envoyproxy/envoy/security/advisories/GHSA-p222-xhp9-39rc - () https://github.com/envoyproxy/envoy/security/advisories/GHSA-p222-xhp9-39rc - Vendor Advisory

20 Sep 2024, 12:30

Type Values Removed Values Added
Summary
  • (es) Envoy es un proxy de servicio, de borde y de medio alcance de alto rendimiento nativo de la nube. Se identificó una vulnerabilidad en Envoy que permite a atacantes maliciosos inyectar contenido inesperado en los registros de acceso. Esto se logra explotando la falta de validación del campo `REQUESTED_SERVER_NAME` para los registradores de acceso. Este problema se solucionó en las versiones 1.31.2, 1.30.6, 1.29.9 y 1.28.7. Se recomienda a los usuarios que actualicen la versión. No existen workarounds conocidas para esta vulnerabilidad.

20 Sep 2024, 00:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-20 00:15

Updated : 2024-09-25 17:18

NVD link : CVE-2024-45808

Mitre link : CVE-2024-45808

CVE.ORG link : CVE-2024-45808

JSON object : View

Products Affected

envoyproxy

  • envoy
CWE
CWE-116

Improper Encoding or Escaping of Output

CWE-117

Improper Output Neutralization for Logs