Vulnerabilities > CVE-2024-23327 - NULL Pointer Dereference vulnerability in Envoyproxy Envoy

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

envoyproxy

CWE-476

NVD

Published: 2024-02-09

Updated: 2024-02-15

Summary

Envoy is a high-performance edge/middle/service proxy. When PPv2 is enabled both on a listener and subsequent cluster, the Envoy instance will segfault when attempting to craft the upstream PPv2 header. This occurs when the downstream request has a command type of LOCAL and does not have the protocol block. This issue has been addressed in releases 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vulnerable Configurations

Part	Description	Count
Application	Envoyproxy Envoyproxy Envoy 1.29.0 Envoyproxy Envoy 1.26.0 Envoyproxy Envoy 1.26.1 Envoyproxy Envoy 1.26.2 Envoyproxy Envoy 1.26.3 Envoyproxy Envoy 1.26.4 Envoyproxy Envoy 1.28.0 Envoyproxy Envoy 1.27.0 Envoyproxy Envoy 1.27.1 Envoyproxy Envoy 1.27.2	10

Common Weakness Enumeration (CWE)

CWE-476 - NULL Pointer Dereference

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References