Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios in which HMAC payload can be always valid in OAuth2 filter's check. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, avoid wildcards/prefix domain wildcards in the host's domain configuration.
Metrics
Affected Vendors & Products
References
History
Thu, 24 Oct 2024 18:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-07-25T17:40:56.203Z
Updated: 2024-10-24T17:52:20.654Z
Reserved: 2023-06-20T14:02:45.596Z
Link: CVE-2023-35941
Vulnrichment
Updated: 2024-08-02T16:37:40.557Z
NVD
Status : Modified
Published: 2023-07-25T18:15:10.993
Modified: 2024-11-21T08:09:01.300
Link: CVE-2023-35941
Redhat