Описание
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, the CORS filter will segfault and crash Envoy when the origin header is removed and deleted between decodeHeadersand encodeHeaders. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, do not remove the origin header in the Envoy configuration.
A flaw was found in Envoy. Suppose an origin header is configured to be removed with request_headers_to_remove: origin. The CORS filter will segfault and crash Envoy when the origin header is removed and deleted between decodeHeaders and encodeHeaders.
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, the CORS filter will segfault and crash Envoy when the `origin` header is removed and deleted between `decodeHeaders`and `encodeHeaders`. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, do not remove the `origin` header in the Envoy configuration.
Envoy is an open source edge and service proxy designed for cloud-nati ...
Уязвимость фильтра HTTP CORS прокси-сервера Envoy, позволяющая нарушителю выполнить атаку типа «отказ в обслуживании» (DoS)
7.5 High
CVSS3