CVEs reported by Envoy.
|CVSS Impact Score||8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L|
|Affected Releases||All releases prior to 1.16.0|
1.16.0 to 1.16.6
1.17.0 to 1.17.4
1.18.0 to 1.18.1
- CVE-2023-35941: (CVSS Score 8.6, High): OAuth2 credentials exploit with permanent validity.
- CVE-2023-35942: (CVSS Score 6.5, Moderate): gRPC access log crash caused by the listener draining.
- CVE-2023-35943: (CVSS Score 6.3, Moderate): CORS filter segfault when origin header is removed.
- CVE-2023-35944: (CVSS Score 8.2, High): Incorrect handling of HTTP requests and responses with mixed case schemes in Envoy.
Am I Impacted?
You are impacted If you accept HTTP/2 traffic from untrusted sources, which applies to most users. This especially applies if you use a Gateway exposed on the public internet.