Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios in which HMAC payload can be always valid in OAuth2 filter's check. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, avoid wildcards/prefix domain wildcards in the host's domain configuration.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-07-25T17:40:56.203Z
Updated: 2024-08-02T16:37:40.557Z
Reserved: 2023-06-20T14:02:45.596Z
Link: CVE-2023-35941
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2023-07-25T18:15:10.993
Modified: 2023-08-02T18:34:33.230
Link: CVE-2023-35941
Redhat