CVE-2024-45808
EUVD-2024-4161320.09.2024, 00:15
Envoy is a cloud-native high-performance edge/middle/service proxy. A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs. This is achieved by exploiting the lack of validation for the `REQUESTED_SERVER_NAME` field for access loggers. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| envoyproxy | envoy | 𝑥 < 1.28.7 |
| envoyproxy | envoy | 1.29.0 ≤ 𝑥 < 1.29.9 |
| envoyproxy | envoy | 1.30.0 ≤ 𝑥 < 1.30.6 |
| envoyproxy | envoy | 1.31.0 ≤ 𝑥 < 1.31.2 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| envoyproxy | envoy | 𝑥 < 1.28.7 | ADP |
| envoyproxy | envoy | 1.29.0 ≤ 𝑥 < 1.29.9 | ADP |
| envoyproxy | envoy | 1.30.0 ≤ 𝑥 < 1.30.6 | ADP |
| envoyproxy | envoy | 1.31.0 ≤ 𝑥 < 1.31.2 | ADP |
Common Weakness Enumeration
- CWE-117 - Improper Output Neutralization for LogsThe software does not neutralize or incorrectly neutralizes output that is written to logs.
- CWE-116 - Improper Encoding or Escaping of OutputThe software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.