CVE-2024-23325

Опубликовано: 09 фев. 2024

Источник: redhat

CVSS3: 5.9

Описание

Envoy is a high-performance edge/middle/service proxy. Envoy crashes in Proxy protocol when using an address type that isn’t supported by the OS. Envoy is susceptible to crashing on a host with IPv6 disabled and a listener config with proxy protocol enabled when it receives a request where the client presents its IPv6 address. It is valid for a client to present its IPv6 address to a target server even though the whole chain is connected via IPv4. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

A flaw was found in Envoy. The envoy proxy is susceptible to crashing on a host with IPv6 disabled and a listener config with proxy protocol enabled when it receives a request where the client presents its IPv6 address. It is valid for a client to present its IPv6 address to a target server even though the whole chain is connected via IPv4.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
OpenShift Service Mesh 2	openshift-service-mesh/proxyv2-rhel8	Affected
OpenShift Service Mesh 2	servicemesh-proxy	Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-248

https://bugzilla.redhat.com/show_bug.cgi?id=2259229envoy: Envoy crashes when using an address type that isn’t supported by the OS

5.9 Medium

CVSS3

Связанные уязвимости

CVE-2024-23325

CVSS3: 7.5

nvd

больше 1 года назад

CVE-2024-23325

CVSS3: 7.5

debian

больше 1 года назад

Envoy is a high-performance edge/middle/service proxy. Envoy crashes i ...

BDU:2024-02906

CVSS3: 7.5

fstec

больше 1 года назад

Уязвимость прокси-сервера Envoy, связанная с не перехваченным исключением, позволяющая нарушителю вызвать аварийное завершение работы приложения

ROS-20240423-06

CVSS3: 7.5

redos

около 1 года назад

Множественные уязвимости consul

5.9 Medium

CVSS3