Description

Envoy is a high-performance edge/middle/service proxy. When PPv2 is enabled both on a listener and subsequent cluster, the Envoy instance will segfault when attempting to craft the upstream PPv2 header. This occurs when the downstream request has a command type of LOCAL and does not have the protocol block. This issue has been addressed in releases 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

References

CVE-2024-23327

Related Vulnerabilities

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-36399)

WordPress Plugin WP-StarsRateBox 'j' Parameter SQL Injection (1.1)

WordPress Plugin Relevanssi-A Better Search Cross-Site Scripting (3.3.7.1)

WordPress Plugin PWA for WP & AMP Security Bypass (1.7.32)

MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2020-35480)

Severity

High

Classification

CVE-2024-23327 CWE-476 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Missing Update Known Vulnerabilities