{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-35941", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-06-20T14:02:45.596Z", "datePublished": "2023-07-25T17:40:56.203Z", "dateUpdated": "2024-08-02T16:37:40.557Z"}, "containers": {"cna": {"title": "Envoy vulnerable to OAuth2 credentials exploit with permanent validity", "problemTypes": [{"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55"}], "affected": [{"vendor": "envoyproxy", "product": "envoy", "versions": [{"version": ">= 1.26.0, < 1.26.4", "status": "affected"}, {"version": ">= 1.25.0, < 1.25.9", "status": "affected"}, {"version": ">= 1.24.0, < 1.24.10", "status": "affected"}, {"version": "< 1.23.12", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-07-25T17:40:56.203Z"}, "descriptions": [{"lang": "en", "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios in which HMAC payload can be always valid in OAuth2 filter's check. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, avoid wildcards/prefix domain wildcards in the host's domain configuration."}], "source": {"advisory": "GHSA-7mhv-gr67-hq55", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:37:40.557Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "588736F6-2FDC-4CF7-AFFA-7CFE16ED6EC6", "versionEndExcluding": "1.23.12", "versionStartIncluding": "1.23.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8412E60-1C2F-4764-94F5-563FAA297466", "versionEndExcluding": "1.24.10", "versionStartIncluding": "1.24.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "0EC8FEB8-BB13-443C-8905-30B03F8F52E6", "versionEndExcluding": "1.25.9", "versionStartIncluding": "1.25.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA35F763-2810-4231-B5A9-93310BF7B765", "versionEndExcluding": "1.26.4", "versionStartIncluding": "1.26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios in which HMAC payload can be always valid in OAuth2 filter's check. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, avoid wildcards/prefix domain wildcards in the host's domain configuration."}], "id": "CVE-2023-35941", "lastModified": "2023-08-02T18:34:33.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-07-25T18:15:10.993", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:5175", "cpe": "cpe:/a:redhat:service_mesh:2.2::el8", "package": "openshift-service-mesh/proxyv2-rhel8:2.2.10-3", "product_name": "Red Hat OpenShift Service Mesh 2.2 for RHEL 8", "release_date": "2023-09-14T00:00:00Z"}, {"advisory": "RHSA-2023:4624", "cpe": "cpe:/a:redhat:service_mesh:2.3::el8", "package": "openshift-service-mesh/proxyv2-rhel8:2.3.6-4", "product_name": "Red Hat OpenShift Service Mesh 2.3 for RHEL 8", "release_date": "2023-08-11T00:00:00Z"}, {"advisory": "RHSA-2023:4625", "cpe": "cpe:/a:redhat:service_mesh:2.4::el8", "package": "openshift-service-mesh/proxyv2-rhel8:2.4.2-7", "product_name": "Red Hat OpenShift Service Mesh 2.4 for RHEL 8", "release_date": "2023-08-11T00:00:00Z"}], "bugzilla": {"description": "envoy: OAuth2 credentials exploit with permanent validity", "id": "2217977", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217977"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "status": "verified"}, "cwe": "CWE-303", "details": ["Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios in which HMAC payload can be always valid in OAuth2 filter's check. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, avoid wildcards/prefix domain wildcards in the host's domain configuration.", "A flaw was found in Envoy, where a malicious client can construct credentials with permanent validity in a specific scenario. This issue is caused by some rare scenarios, such as the combination of host and expiration time, in which the HMAC payload can always be valid in the OAuth2 filter's HMAC check."], "name": "CVE-2023-35941", "public_date": "2023-07-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-35941\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-35941"], "threat_severity": "Important", "upstream_fix": "envoy 1.26.3, envoy 1.25.8, envoy 1.24.9, envoy 1.23.11"}