CVE-2023-27493

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case, it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoy’s security policy. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. As a workaround, disable adding request headers based on the downstream request properties, such as downstream certificate properties.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/envoyproxy/envoy/security/advisories/GHSA-w5w5-487h-qv8q	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:envoyproxy:envoy::::::::
	cpe:2.3:a:envoyproxy:envoy::::::::
	cpe:2.3:a:envoyproxy:envoy::::::::
	cpe:2.3:a:envoyproxy:envoy::::::::

History

11 Apr 2023, 14:44

Type	Values Removed	Values Added
References	~~(MISC) https://github.com/envoyproxy/envoy/security/advisories/GHSA-w5w5-487h-qv8q -~~	(MISC) https://github.com/envoyproxy/envoy/security/advisories/GHSA-w5w5-487h-qv8q - Exploit, Vendor Advisory
CPE		cpe:2.3:a:envoyproxy:envoy::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1
First Time		Envoyproxy Envoyproxy envoy
CWE	~~CWE-20~~	CWE-444

04 Apr 2023, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-04-04 20:15

Updated : 2023-12-10 15:01

NVD link : CVE-2023-27493

Mitre link : CVE-2023-27493

CVE.ORG link : CVE-2023-27493

JSON object : View

Products Affected

envoyproxy

envoy

CWE

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CWE-20

Improper Input Validation

{"id": "CVE-2023-27493", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2023-04-04T20:15:07.463", "references": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-w5w5-487h-qv8q", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-444"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case, it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoy\u2019s security policy. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. As a workaround, disable adding request headers based on the downstream request properties, such as downstream certificate properties."}], "lastModified": "2023-04-11T14:44:07.990", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DAD93214-C958-4A69-9291-15D1C22CFD3F", "versionEndExcluding": "1.22.9"}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17BFB303-DA5A-4E83-93F7-3C1EA340E434", "versionEndExcluding": "1.23.6", "versionStartIncluding": "1.23.0"}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "92B633B8-FA4A-4630-9302-96F2C8336E36", "versionEndExcluding": "1.24.4", "versionStartIncluding": "1.24.0"}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8AFC6741-6FDF-47F6-A4AF-B5F5233ABB71", "versionEndExcluding": "1.25.3", "versionStartIncluding": "1.25.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}