CVE-2020-25017
8.3
HIGH
CVSS 3.1
EPSS 0.05%
Description
Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header.
How to fix CVE-2020-25017
To remediate CVE-2020-25017, upgrade the affected package to a fixed version below.
- Bitnami/envoy—upgrade to 1.12.7 or later
Is CVE-2020-25017 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.12.7, >= 1.13.0, < 1.13.4, >= 1.14.0, < 1.14.4, >= 1.15.0, < 1.15.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L |