CVE-2024-53271

Dec. 18, 2024, 10:15 p.m.

7.1
High

Description

Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions envoy does not properly handle http 1.1 non-101 1xx responses. This can lead to downstream failures in networked devices. This issue has been addressed in versions 1.31.5 and 1.32.3. Users are advised to upgrade. There are no known workarounds for this issue.

Product(s) Impacted

Product Versions
Envoy Proxy
  • ['1.31.5', '1.32.3']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-670
Always-Incorrect Control Flow Implementation
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

References

https://github.com/envoyproxy/envoy/commit/da56f6da63079baecef9183436ee5f4141a59af8
https://github.com/envoyproxy/envoy/security/advisories/GHSA-rmm5-h2wv-mg4f
https://github.com/envoyproxy/envoy/security/advisories/GHSA-rmm5-h2wv-mg4f

Tags

security-advisories@github.com
CWE-670
2024-12-18
CVE-2024-53271

CVSS Score

7.1 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

    View Vector String

Timeline

Published: Dec. 18, 2024, 8:15 p.m.
Last Modified: Dec. 18, 2024, 10:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.