CVE-2019-9900

When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources.
Configurations

Configuration 1 (hide)

cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:redhat:openshift_service_mesh:-:*:*:*:*:*:*:*

History

07 Nov 2023, 03:13

Type Values Removed Values Added
References
  • {'url': 'https://groups.google.com/forum/#!topic/envoy-announce/VoHfnDqZiAM', 'name': 'https://groups.google.com/forum/#!topic/envoy-announce/VoHfnDqZiAM', 'tags': ['Third Party Advisory'], 'refsource': 'CONFIRM'}
  • () https://groups.google.com/forum/#%21topic/envoy-announce/VoHfnDqZiAM -

01 Jan 2022, 20:16

Type Values Removed Values Added
CPE cpe:2.3:a:redhat:openshift_service_mesh:-:*:*:*:*:*:*:*
First Time Redhat
Redhat openshift Service Mesh
References (CONFIRM) https://github.com/envoyproxy/envoy/security/advisories/GHSA-x74r-f4mw-c32h - (CONFIRM) https://github.com/envoyproxy/envoy/security/advisories/GHSA-x74r-f4mw-c32h - Exploit, Mitigation, Third Party Advisory
CWE CWE-20 CWE-74

Information

Published : 2019-04-25 15:29

Updated : 2023-12-10 12:59


NVD link : CVE-2019-9900

Mitre link : CVE-2019-9900

CVE.ORG link : CVE-2019-9900


JSON object : View

Products Affected

redhat

  • openshift_service_mesh

envoyproxy

  • envoy
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')