Open mend-for-github-com[bot] opened 3 months ago
Fork of Envoy used for testing and tinkering as part of the Istio dev process
Library home page: https://github.com/istio/envoy.git
Found in base branch: main
/http/async_client.h
Envoy is a cloud-native, open source edge and service proxy. Envoy exposed an out-of-memory (OOM) vector from the mirror response, since async HTTP client will buffer the response with an unbounded buffer.
Publish Date: 2024-06-04
URL: CVE-2024-34364
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
Type: Upgrade version
Origin: https://github.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26
Release Date: 2024-06-04
Fix Resolution: v1.27.6,v1.28.4,v1.29.5,v1.30.2
CVE-2024-34364 - Medium Severity Vulnerability
Vulnerable Library - envoy1.12.0-alpha.1
Fork of Envoy used for testing and tinkering as part of the Istio dev process
Library home page: https://github.com/istio/envoy.git
Found in base branch: main
Vulnerable Source Files (1)
/http/async_client.h
Vulnerability Details
Envoy is a cloud-native, open source edge and service proxy. Envoy exposed an out-of-memory (OOM) vector from the mirror response, since async HTTP client will buffer the response with an unbounded buffer.
Publish Date: 2024-06-04
URL: CVE-2024-34364
CVSS 3 Score Details (5.7)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26
Release Date: 2024-06-04
Fix Resolution: v1.27.6,v1.28.4,v1.29.5,v1.30.2