Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.26.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the envoy.filters.http.grpc_stats filter crashes (null pointer dereference / segfault) when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) hits a direct_response route. A single unauthenticated HTTP request crashes the Envoy process. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected products
- envoyproxy / envoy>= 1.38.0, < 1.38.3 – >= 1.38.0, < 1.38.3
- envoyproxy / envoy>= 1.37.0, < 1.37.5 – >= 1.37.0, < 1.37.5
- envoyproxy / envoy>= 1.36.0, < 1.36.9 – >= 1.36.0, < 1.36.9
- envoyproxy / envoy>= 1.26.0, < 1.35.13 – >= 1.26.0, < 1.35.13