Undergoing Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
CVE has been recently published to the CVE List and has been received by the NVD.
Products
Envoy
- 1.31.2
- 1.30.6
- 1.29.9
- 1.28.7
Source
security-advisories@github.com
Tags
CVE-2024-45808 details
Published : Sept. 20, 2024, 12:15 a.m.
Last Modified : Sept. 20, 2024, 12:30 p.m.
Last Modified : Sept. 20, 2024, 12:30 p.m.
Description
Envoy is a cloud-native high-performance edge/middle/service proxy. A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs. This is achieved by exploiting the lack of validation for the `REQUESTED_SERVER_NAME` field for access loggers. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
1 | 2 | 3 | 4 | 5 | 6.5 | 7 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|---|---|
CWE-117 | Improper Output Neutralization for Logs | The product does not neutralize or incorrectly neutralizes output that is written to logs. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
Base Score
6.5
Exploitability Score
3.9
Impact Score
2.5
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
References
URL | Source |
---|---|
https://github.com/envoyproxy/envoy/security/advisories/GHSA-p222-xhp9-39rc | security-advisories@github.com |
This website uses the NVD API, but is not approved or certified by it.