Description

A flaw was found in Envoy. It is possible to modify or manipulate headers from external clients when pass-through routes are used for the ingress gateway. This issue could allow a malicious user to forge what is logged by Envoy as a requested path and cause the Envoy proxy to make requests to internal-only services or arbitrary external systems. This is a regression of the fix for CVE-2023-27487.

Remediation

References

CVE-2024-7207

Related Vulnerabilities

WordPress Plugin Analytics Remote Code Execution (1.7)

WordPress Plugin WP Statistics Cross-Site Scripting (12.6.3)

Apache HTTP Server Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Vulnerability (CVE-2014-0226)

phpMyAdmin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-1902)

XWiki URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2023-29204)

Severity

Critical

Classification

CVE-2024-7207 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities