CVE-2023-35943

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, the CORS filter will segfault and crash Envoy when the origin header is removed and deleted between decodeHeadersand encodeHeaders. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, do not remove the origin header in the Envoy configuration.

Published: Jul 25, 2023
Updated: Aug 3, 2023
CVE: CVE-2023-35943
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-416

Affected Software
References

Software	From	Fixed in
envoyproxy / envoy	1.24.0	1.24.10
envoyproxy / envoy	1.25.0	1.25.9
envoyproxy / envoy	1.26.0	1.26.4
envoyproxy / envoy	1.23.0	1.23.12

https://github.com/envoyproxy/envoy/security/advisories/GHSA-mc6h-6j9x-v3gq

Vulnerability Database

289,599

CVE-2023-35943