CVE-2020-12604

Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 61%
VendorProductVersion
envoyproxyenvoy
𝑥
≤ 1.12.4
envoyproxyenvoy
1.13.2
envoyproxyenvoy
1.14.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/envoyproxy/envoy/commits/master
https://github.com/envoyproxy/envoy/security/advisories/GHSA-8hf8-8gvw-ggvx
https://github.com/envoyproxy/envoy/commits/master
https://github.com/envoyproxy/envoy/security/advisories/GHSA-8hf8-8gvw-ggvx