A flaw was found in Envoy. It is possible to modify or manipulate headers from external clients when pass-through routes are used for the ingress gateway. This issue could allow a malicious user to forge what is logged by Envoy as a requested path and cause the Envoy proxy to make requests to internal-only services or arbitrary external systems. This is a regression of the fix for CVE-2023-27487.
Metrics
Affected Vendors & Products
References
History
Fri, 20 Sep 2024 01:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Thu, 19 Sep 2024 22:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A flaw was found in Envoy. It is possible to modify or manipulate headers from external clients when pass-through routes are used for the ingress gateway. This issue could allow a malicious user to forge what is logged by Envoy as a requested path and cause the Envoy proxy to make requests to internal-only services or arbitrary external systems. This is a regression of the fix for CVE-2023-27487. | |
Title | Envoy: server-side request forgery via http header manipulation | |
First Time appeared |
Redhat
Redhat service Mesh |
|
Weaknesses | CWE-20 | |
CPEs | cpe:/a:redhat:service_mesh:2 | |
Vendors & Products |
Redhat
Redhat service Mesh |
|
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: redhat
Published: 2024-09-19T22:17:51.582Z
Updated: 2024-09-19T22:17:51.582Z
Reserved: 2024-07-29T12:34:41.016Z
Link: CVE-2024-7207
Vulnrichment
No data.
NVD
Status : Received
Published: 2024-09-19T23:15:12.337
Modified: 2024-09-19T23:15:12.337
Link: CVE-2024-7207
Redhat