CVE-2024-23326 : Envoy is a cloud-native, open source edge and service proxy. A theoretical reque

Envoy is a cloud-native, open source edge and service proxy. A theoretical request smuggling vulnerability exists through Envoy if a server can be tricked into adding an upgrade header into a response. Per RFC https://www.rfc-editor.org/rfc/rfc7230#section-6.7 a server sends 101 when switching protocols. Envoy incorrectly accepts a 200 response from a server when requesting a protocol upgrade, but 200 does not indicate protocol switch. This opens up the possibility of request smuggling through Envoy if the server can be tricked into adding the upgrade header to the response.

Published 2024-06-04 20:05:48

Updated 2024-06-12 15:32:11

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2024-23326

Envoyproxy » Envoy
Versions before (<) 1.27.6
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
Matching versions
Envoyproxy » Envoy
Versions from including (>=) 1.29.0 and before (<) 1.29.5
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
Matching versions
Envoyproxy » Envoy
Versions from including (>=) 1.30.0 and before (<) 1.30.2
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
Matching versions
Envoyproxy » Envoy
Versions from including (>=) 1.28.0 and before (<) 1.28.4
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2024-23326

EPSS FAQ

0.03%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 5 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-23326

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	N/A	N/A	GitHub, Inc.	2024-06-04
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
8.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N	3.9	4.2	NIST	2024-06-12
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: Low Availability: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	GitHub, Inc.	2024-06-04
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2024-23326

CWE-391 Unchecked Error Condition

[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.
Assigned by:
- a0819718-46f1-4df5-94e2-005712e83aaa (Primary)
- security-advisories@github.com (Secondary)
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2024-23326

https://github.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c

Envoy incorrectly accepts HTTP 200 response for entering upgrade mode · Advisory · envoyproxy/envoy · GitHub
Vendor Advisory

Jump to

Vulnerability Details : CVE-2024-23326

Products affected by CVE-2024-23326

Exploit prediction scoring system (EPSS) score for CVE-2024-23326

CVSS scores for CVE-2024-23326

CWE ids for CVE-2024-23326

References for CVE-2024-23326