Vulnerabilities > CVE-2022-23606 - Unspecified vulnerability in Envoyproxy Envoy 1.20.0/1.20.1/1.21.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
Envoy is an open source edge and service proxy, designed for cloud-native applications. When a cluster is deleted via Cluster Discovery Service (CDS) all idle connections established to endpoints in that cluster are disconnected. A recursion was introduced in the procedure of disconnecting idle connections that can lead to stack exhaustion and abnormal process termination when a cluster has a large number of idle connections. This infinite recursion causes Envoy to crash. Users are advised to upgrade.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 3 |
References
- https://github.com/envoyproxy/envoy/commit/4b6dd3b53cd5c6d4d4df378a2fc62c1707522b31
- https://github.com/envoyproxy/envoy/commit/4b6dd3b53cd5c6d4d4df378a2fc62c1707522b31
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-9vp2-4cp7-vvxf
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-9vp2-4cp7-vvxf