Description

Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header.

Remediation

References

CVE-2020-25017

Related Vulnerabilities

MySQL CVE-2020-14680 Vulnerability (CVE-2020-14680)

Drupal Core 8.8.0 Denial of Service (8.8.0)

PHP-Fusion Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-17450)

WordPress Plugin AMP for WP-Accelerated Mobile Pages Multiple Unspecified Vulnerabilities (0.9.72)

Drupal Core 9.3.x Security Bypass (9.3.0 - 9.3.5)

Severity

High

Classification

CVE-2020-25017 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Tags

Missing Update Known Vulnerabilities