Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2023-27488

Опубликовано: 04 апр. 2023
Источник: nvd
CVSS3: 5.4
CVSS3: 9.8
EPSS Низкий

Описание

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, escalation of privileges is possible when failure_mode_allow: true is configured for ext_authz filter. For affected components that are used for logging and/or visibility, requests may not be logged by the receiving service.

When Envoy was configured to use ext_authz, ext_proc, tap, ratelimit filters, and grpc access log service and an http header with non-UTF-8 data was received, Envoy would generate an invalid protobuf message and send it to the configured service. The receiving service would typically generate an error when decoding the protobuf message. For ext_authz that was configured with failure_mode_allow: true, the request would have been allowed in this case. For the other services, this could have resulted in other unforeseen errors such as a lack of visibility into requests.

As of versions 1.26.0, 1.25.3, 1.24.4, 1.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
Версия до 1.22.9 (исключая)
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
Версия от 1.23.0 (включая) до 1.23.6 (исключая)
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
Версия от 1.24.0 (включая) до 1.24.4 (исключая)
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
Версия от 1.25.0 (включая) до 1.25.3 (исключая)

EPSS

Процентиль: 6%
0.00027
Низкий

5.4 Medium

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-20
NVD-CWE-noinfo

Связанные уязвимости

redhat логотип

CVE-2023-27488

CVSS3: 8.6
redhat
больше 2 лет назад

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, escalation of privileges is possible when `failure_mode_allow: true` is configured for `ext_authz` filter. For affected components that are used for logging and/or visibility, requests may not be logged by the receiving service. When Envoy was configured to use ext_authz, ext_proc, tap, ratelimit filters, and grpc access log service and an http header with non-UTF-8 data was received, Envoy would generate an invalid protobuf message and send it to the configured service. The receiving service would typically generate an error when decoding the protobuf message. For ext_authz that was configured with ``failure_mode_allow: true``, the request would have been allowed in this case. For the other services, this could have resulted in other unforeseen errors such as a lack of visibility into requests. As of versions 1.26.0, 1.25.3, 1.24.4, 1...

debian логотип

CVE-2023-27488

CVSS3: 5.4
debian
больше 2 лет назад

Envoy is an open source edge and service proxy designed for cloud-nati ...

oracle-oval логотип

ELSA-2023-23649

oracle-oval
больше 2 лет назад

ELSA-2023-23649: olcne security update (IMPORTANT)

oracle-oval логотип

ELSA-2023-23648

oracle-oval
больше 2 лет назад

ELSA-2023-23648: olcne security update (IMPORTANT)

oracle-oval логотип

ELSA-2023-12357

oracle-oval
больше 2 лет назад

ELSA-2023-12357: istio security update (IMPORTANT)

EPSS

Процентиль: 6%
0.00027
Низкий

5.4 Medium

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-20
NVD-CWE-noinfo