Improper Check for Unusual or Exceptional Conditions Affecting envoyproxy/envoy package, versions [1.13.0,1.27.5) [1.28.0,1.28.3) [1.29.0,1.29.4) [1.30.0,1.30.1)
Snyk CVSS
Attack Complexity
Low
Availability
High
Threat Intelligence
EPSS
0.04% (9th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UNMANAGED-ENVOYPROXYENVOY-6670035
- published 21 Apr 2024
- disclosed 18 Apr 2024
- credit Adiyamankottai Rajaram
Introduced: 18 Apr 2024
New CVE-2024-32475 Open this link in a new tabHow to fix?
Upgrade envoyproxy/envoy
to version 1.27.5, 1.28.3, 1.29.4, 1.30.1 or higher.
Overview
Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions in handling excessively long headers, including host
and :authority
, when auto_sni
is enabled for an upstream TLS cluster. An attacker can cause a crash by sending headers longer than 255 characters. Other headers are vulnerable if they've been set via override_auto_sni_header
.