Lucene search

[email protected]NVD:CVE-2023-35942

HistoryJul 25, 2023 - 7:15 p.m.

CVE-2023-35942

2023-07-2519:15:11

CWE-416

[email protected]

web.nvd.nist.gov

envoy

grpc

access logger

vulnerability

fix

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

7.8

Confidence

High

EPSS

0.001

Percentile

31.1%

JSON

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, gRPC access loggers using listener’s global scope can cause a use-after-free crash when the listener is drained. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, disable gRPC access log or stop listener update.

Affected configurations

Nvd

Node

envoyproxyenvoyRange1.23.0–1.23.12

envoyproxyenvoyRange1.24.0–1.24.10

envoyproxyenvoyRange1.25.0–1.25.9

envoyproxyenvoyRange1.26.0–1.26.4

VendorProductVersionCPE
envoyproxyenvoy*cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
envoyproxy	envoy	*	cpe:2.3:a:envoyproxy:envoy::::::::

References

github.com/envoyproxy/envoy/security/advisories/GHSA-69vr-g55c-v2v4

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

7.8

Confidence

High

EPSS

0.001

Percentile

31.1%

JSON

Related for NVD:CVE-2023-35942

cvelist1 veracode1 osv2 cve1 prion1 redhatcve1 nessus8 oraclelinux4 redhat2