Unrated severityNVD Advisory· Published Feb 9, 2024· Updated Aug 19, 2024

Envoy ext auth can be bypassed when Proxy protocol filter sets invalid UTF-8 metadata

CVE-2024-23324

Description

Envoy is a high-performance edge/middle/service proxy. External authentication can be bypassed by downstream connections. Downstream clients can force invalid gRPC requests to be sent to ext_authz, circumventing ext_authz checks when failure_mode_allow is set to true. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected products

Envoyproxy/Envoyv5
Range: >= 1.29.0, < 1.29.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/envoyproxy/envoy/commit/29989f6cc8bfd8cd2ffcb7c42711eb02c7a5168amitrex_refsource_MISC
github.com/envoyproxy/envoy/security/advisories/GHSA-gq3v-vvhj-96j6mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000