search

Pio1006 / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
0 stars 0 forks source link

CVE-2023-27488 (Critical) detected in multiple libraries - autoclosed #19

Closed mend-for-github-com[bot] closed 4 months ago

mend-for-github-com[bot] commented 1 year ago

CVE-2023-27488 - Critical Severity Vulnerability

Vulnerable Libraries - envoy1.12.0-alpha.1, envoy1.12.0-alpha.1, envoy1.12.0-alpha.1

Vulnerability Details

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, escalation of privileges is possible when `failure_mode_allow: true` is configured for `ext_authz` filter. For affected components that are used for logging and/or visibility, requests may not be logged by the receiving service. When Envoy was configured to use ext_authz, ext_proc, tap, ratelimit filters, and grpc access log service and an http header with non-UTF-8 data was received, Envoy would generate an invalid protobuf message and send it to the configured service. The receiving service would typically generate an error when decoding the protobuf message. For ext_authz that was configured with ``failure_mode_allow: true``, the request would have been allowed in this case. For the other services, this could have resulted in other unforeseen errors such as a lack of visibility into requests. As of versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy by default sanitizes the values sent in gRPC service calls to be valid UTF-8, replacing data that is not valid UTF-8 with a `!` character. This behavioral change can be temporarily reverted by setting runtime guard `envoy.reloadable_features.service_sanitize_non_utf8_strings` to false. As a workaround, one may set `failure_mode_allow: false` for `ext_authz`.

Publish Date: 2023-04-04

URL: CVE-2023-27488

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/envoyproxy/envoy/security/advisories/GHSA-9g5w-hqr3-w2ph

Release Date: 2023-04-04

Fix Resolution: v1.22.9,v1.23.6,v1.24.4,v1.25.3

mend-for-github-com[bot] commented 4 months ago

:information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #67