Vulnerabilities > CVE-2023-35942 - Use After Free vulnerability in Envoyproxy Envoy

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
envoyproxy
CWE-416
NVD
Published: 2023-07-25
Updated: 2023-08-02

Summary

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, gRPC access loggers using listener's global scope can cause a `use-after-free` crash when the listener is drained. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, disable gRPC access log or stop listener update.

Vulnerable Configurations

Part Description Count
Application
Envoyproxy
35

Common Weakness Enumeration (CWE)

References