Envoy is a cloud-native high-performance edge/middle/service proxy. A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs. This is achieved by exploiting the lack of validation for the `REQUESTED_SERVER_NAME` field for access loggers. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
History

Tue, 08 Oct 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat service Mesh
CPEs cpe:/a:redhat:service_mesh:2.6::el8
cpe:/a:redhat:service_mesh:2.6::el9
Vendors & Products Redhat
Redhat service Mesh

Wed, 25 Sep 2024 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-116

Fri, 20 Sep 2024 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
CPEs cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
Vendors & Products Envoyproxy
Envoyproxy envoy
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 20 Sep 2024 09:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 19 Sep 2024 23:45:00 +0000

Type Values Removed Values Added
Description Envoy is a cloud-native high-performance edge/middle/service proxy. A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs. This is achieved by exploiting the lack of validation for the `REQUESTED_SERVER_NAME` field for access loggers. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Title Malicious log injection via access logs in envoy
Weaknesses CWE-117
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-09-19T23:34:26.714Z

Updated: 2024-09-20T17:25:17.393Z

Reserved: 2024-09-09T14:23:07.504Z

Link: CVE-2024-45808

cve-icon Vulnrichment

Updated: 2024-09-20T17:25:13.264Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-20T00:15:02.733

Modified: 2024-09-25T17:18:38.823

Link: CVE-2024-45808

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-09-20T00:15:02Z

Links: CVE-2024-45808 - Bugzilla