Description

Envoy is a cloud-native high-performance edge/middle/service proxy. A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs. This is achieved by exploiting the lack of validation for the `REQUESTED_SERVER_NAME` field for access loggers. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

References

CVE-2024-45808

Related Vulnerabilities

Jenkins Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-1000170)

Mailman Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-5950)

MyBB Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-9418)

WordPress Plugin Floating Social Bar Cross-Site Scripting (1.1.5)

WordPress Plugin Flexible Custom Post Type Cross-Site Scripting (0.1.5)

Severity

Medium

Classification

CVE-2024-45808 CWE-116 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities