CVE-2024-23327
Crash in proxy protocol when command type of LOCAL in Envoy
7.5
HIGH
CVSS 3.1
EPSS 0.31%
Description
Envoy is a high-performance edge/middle/service proxy. When PPv2 is enabled both on a listener and subsequent cluster, the Envoy instance will segfault when attempting to craft the upstream PPv2 header. This occurs when the downstream request has a command type of LOCAL and does not have the protocol block. This issue has been addressed in releases 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
How to fix CVE-2024-23327
To remediate CVE-2024-23327, upgrade the affected package to a fixed version below.
- —upgrade to 1.26.7 or later
Is CVE-2024-23327 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.26.0, < 1.26.7, >= 1.27.0, < 1.27.3, >= 1.28.0, < 1.28.1, >= 1.29.0, < 1.29.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |