Multiple CVEs reported by Envoy.
|CVSS Impact Score||8.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N|
|Affected Releases||All releases prior to 1.15.0|
1.15.0 to 1.15.6
1.16.0 to 1.16.3
1.17.0 to 1.17.1
CVE-2023-27487: (CVSS Score 8.2, High): Client may fake the header
CVE-2023-27488: (CVSS Score 5.4, Moderate): gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received.
CVE-2023-27491: (CVSS Score 5.4, Moderate): Envoy forwards invalid HTTP/2 and HTTP/3 downstream headers.
CVE-2023-27492: (CVSS Score 4.8, Moderate): Crash when a large request body is processed in Lua filter.
CVE-2023-27493: (CVSS Score 8.1, High): Envoy doesn’t escape HTTP header values.
CVE-2023-27496: (CVSS Score 6.5, Moderate): Crash when a redirect url without a state parameter is received in the OAuth filter.
Am I Impacted?
You may be at risk if you have an Istio gateway or if you use external istiod.