Lucene search

[email protected]NVD:CVE-2021-28682

HistoryMay 20, 2021 - 5:15 p.m.

CVE-2021-28682

2021-05-2017:15:07

CWE-190

[email protected]

web.nvd.nist.gov

envoy

integer overflow

remote exploit

grpc-timeout

unexpected timeout calculations

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

61.1%

JSON

An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable integer overflow in which a very large grpc-timeout value leads to unexpected timeout calculations.

Affected configurations

Nvd

Node

envoyproxyenvoyMatch1.14.6

envoyproxyenvoyMatch1.15.3

envoyproxyenvoyMatch1.16.2

envoyproxyenvoyMatch1.17.1

VendorProductVersionCPE
envoyproxyenvoy1.14.6cpe:2.3:a:envoyproxy:envoy:1.14.6:*:*:*:*:*:*:*
envoyproxyenvoy1.15.3cpe:2.3:a:envoyproxy:envoy:1.15.3:*:*:*:*:*:*:*
envoyproxyenvoy1.16.2cpe:2.3:a:envoyproxy:envoy:1.16.2:*:*:*:*:*:*:*
envoyproxyenvoy1.17.1cpe:2.3:a:envoyproxy:envoy:1.17.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
envoyproxy	envoy	1.14.6	cpe:2.3:a:envoyproxy:envoy:1.14.6:::::::*
envoyproxy	envoy	1.15.3	cpe:2.3:a:envoyproxy:envoy:1.15.3:::::::*
envoyproxy	envoy	1.16.2	cpe:2.3:a:envoyproxy:envoy:1.16.2:::::::*
envoyproxy	envoy	1.17.1	cpe:2.3:a:envoyproxy:envoy:1.17.1:::::::*