CVE-2024-23327

Envoy is a high-performance edge/middle/service proxy. When PPv2 is enabled both on a listener and subsequent cluster, the Envoy instance will segfault when attempting to craft the upstream PPv2 header. This occurs when the downstream request has a command type of LOCAL and does not have the protocol block. This issue has been addressed in releases 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Published: Feb 10, 2024
Updated: Feb 16, 2024
CVE: CVE-2024-23327
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-476

Affected Software
References

Software	From	Fixed in
envoyproxy / envoy	1.29.0	1.29.1
envoyproxy / envoy	1.26.0	1.26.7
envoyproxy / envoy	1.28.0	1.28.1
envoyproxy / envoy	1.27.0	1.27.3

https://github.com/envoyproxy/envoy/commit/63895ea8e3cca9c5d3ab4c5c128ed1369969d54a
https://github.com/envoyproxy/envoy/security/advisories/GHSA-4h5x-x9vh-m29j

Vulnerability Database

289,599

CVE-2024-23327