Envoy is an open source edge and service proxy designed for cloud-native applications. Envoy allows mixed-case schemes in HTTP/2, however, some internal scheme checks are case-sensitive. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, this can lead to the rejection of requests with mixed-case schemes such as `htTp` or `htTps`, or the bypassing of some requests such as `https` in unencrypted connections. With a fix in versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, Envoy will now lowercase scheme values by default, and change the internal scheme checks that were case-sensitive to be case-insensitive. There are no known workarounds for this issue.
History

Wed, 23 Oct 2024 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-07-25T18:35:59.135Z

Updated: 2024-10-23T20:18:42.493Z

Reserved: 2023-06-20T14:02:45.597Z

Link: CVE-2023-35944

cve-icon Vulnrichment

Updated: 2024-08-02T16:37:40.606Z

cve-icon NVD

Status : Analyzed

Published: 2023-07-25T19:15:11.240

Modified: 2023-08-02T16:37:33.317

Link: CVE-2023-35944

cve-icon Redhat

Severity : Important

Publid Date: 2023-07-25T00:00:00Z

Links: CVE-2023-35944 - Bugzilla