Vulnerabilities > CVE-2021-29258 - Reachable Assertion vulnerability in Envoyproxy Envoy

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

envoyproxy

CWE-617

NVD

Published: 2021-05-20

Updated: 2021-05-27

Summary

An issue was discovered in Envoy 1.14.0. There is a remotely exploitable crash for HTTP2 Metadata, because an empty METADATA map triggers a Reachable Assertion.

Vulnerable Configurations

Part	Description	Count
Application	Envoyproxy Envoyproxy Envoy 1.17.1 Envoyproxy Envoy 1.16.2 Envoyproxy Envoy 1.15.3 Envoyproxy Envoy 1.14.6	4

Common Weakness Enumeration (CWE)

CWE-617 - Reachable Assertion

References

https://github.com/envoyproxy/envoy-setec/pull/230
https://github.com/envoyproxy/envoy/security/advisories/GHSA-xw4q-6pj2-5gfg
https://blog.envoyproxy.io
https://github.com/envoyproxy/envoy/releases/tag/v1.14.0
https://github.com/envoyproxy/envoy/security/advisories/GHSA-rqvq-hxw5-776j