{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-27493", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-03-01T19:03:56.634Z", "datePublished": "2023-04-04T19:46:57.044Z", "dateUpdated": "2024-08-02T12:16:35.263Z"}, "containers": {"cna": {"title": "Envoy doesn't escape HTTP header values", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-w5w5-487h-qv8q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-w5w5-487h-qv8q"}], "affected": [{"vendor": "envoyproxy", "product": "envoy", "versions": [{"version": ">= 1.25.0, < 1.25.3", "status": "affected"}, {"version": ">= 1.24.0, < 1.24.4", "status": "affected"}, {"version": ">= 1.23.0, < 1.23.6", "status": "affected"}, {"version": "< 1.22.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-04-04T19:46:57.044Z"}, "descriptions": [{"lang": "en", "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case, it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoy\u2019s security policy. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. As a workaround, disable adding request headers based on the downstream request properties, such as downstream certificate properties."}], "source": {"advisory": "GHSA-w5w5-487h-qv8q", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:16:35.263Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-w5w5-487h-qv8q", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-w5w5-487h-qv8q"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "DAD93214-C958-4A69-9291-15D1C22CFD3F", "versionEndExcluding": "1.22.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "17BFB303-DA5A-4E83-93F7-3C1EA340E434", "versionEndExcluding": "1.23.6", "versionStartIncluding": "1.23.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "92B633B8-FA4A-4630-9302-96F2C8336E36", "versionEndExcluding": "1.24.4", "versionStartIncluding": "1.24.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "8AFC6741-6FDF-47F6-A4AF-B5F5233ABB71", "versionEndExcluding": "1.25.3", "versionStartIncluding": "1.25.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case, it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoy\u2019s security policy. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. As a workaround, disable adding request headers based on the downstream request properties, such as downstream certificate properties."}], "id": "CVE-2023-27493", "lastModified": "2023-04-11T14:44:07.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-04-04T20:15:07.463", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-w5w5-487h-qv8q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:4623", "cpe": "cpe:/a:redhat:service_mesh:2.2::el8", "package": "openshift-service-mesh/proxyv2-rhel8:2.2.9-2", "product_name": "Red Hat OpenShift Service Mesh 2.2 for RHEL 8", "release_date": "2023-08-11T00:00:00Z"}], "bugzilla": {"description": "envoy: envoy doesn't escape HTTP header values", "id": "2182158", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182158"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "status": "verified"}, "details": ["Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case, it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoy\u2019s security policy. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. As a workaround, disable adding request headers based on the downstream request properties, such as downstream certificate properties.", "A flaw was found in Envoy. Envoy doesn't escape HTTP header values due to a specifically constructed HTTP request or mTLS connection with a specifically crafted client certificate. Envoy configuration must also include an option to add request headers that were generated using inputs from the request, for example, the peer certificate SAN."], "name": "CVE-2023-27493", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2.1", "fix_state": "Affected", "package_name": "servicemesh-proxy", "product_name": "OpenShift Service Mesh 2.1"}], "public_date": "2023-04-04T19:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-27493\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-27493"], "threat_severity": "Important"}