Vulnerabilities > CVE-2024-23324 - Unspecified vulnerability in Envoyproxy Envoy

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

envoyproxy

NVD

Published: 2024-02-09

Updated: 2024-02-15

Summary

Envoy is a high-performance edge/middle/service proxy. External authentication can be bypassed by downstream connections. Downstream clients can force invalid gRPC requests to be sent to ext_authz, circumventing ext_authz checks when failure_mode_allow is set to true. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vulnerable Configurations

Part	Description	Count
Application	Envoyproxy Envoyproxy Envoy 1.29.0 Envoyproxy Envoy 1.26.0 Envoyproxy Envoy 1.26.1 Envoyproxy Envoy 1.26.2 Envoyproxy Envoy 1.26.3 Envoyproxy Envoy 1.26.4 Envoyproxy Envoy 1.28.0 Envoyproxy Envoy 1.27.0 Envoyproxy Envoy 1.27.1 Envoyproxy Envoy 1.27.2	10

Summary

Vulnerable Configurations

References