CVE-2024-45808
20.09.2024, 00:15
Envoy is a cloud-native high-performance edge/middle/service proxy. A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs. This is achieved by exploiting the lack of validation for the `REQUESTED_SERVER_NAME` field for access loggers. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.Enginsight
| Vendor | Product | Version |
|---|---|---|
| envoyproxy | envoy | 𝑥 < 1.28.7 |
| envoyproxy | envoy | 1.29.0 ≤ 𝑥 < 1.29.9 |
| envoyproxy | envoy | 1.30.0 ≤ 𝑥 < 1.30.6 |
| envoyproxy | envoy | 1.31.0 ≤ 𝑥 < 1.31.2 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-117 - Improper Output Neutralization for LogsThe software does not neutralize or incorrectly neutralizes output that is written to logs.
- CWE-116 - Improper Encoding or Escaping of OutputThe software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.