x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35941 #1966

GoVulnBot · 2023-07-25T19:01:26Z

CVE-2023-35941 references github.com/envoyproxy/envoy, which may be a Go module.

Description:
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios in which HMAC payload can be always valid in OAuth2 filter's check. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, avoid wildcards/prefix domain wildcards in the host's domain configuration.

References:

Cross references:

Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43824 #330 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43825 #331 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43826 #332 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21654 #333 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21655 #334 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21656 #335 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21657 #336 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-23606 #337 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29224 #484 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29225 #485 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29226 #486 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29227 #487 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29228 #488 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27487 #1690 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27488 #1691 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27491 #1692 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27492 #1693 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27493 #1694 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27496 #1695 NOT_GO_CODE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/envoyproxy/envoy
      vulnerable_at: 1.26.3
      packages:
        - package: envoy
description: |-
    Envoy is an open source edge and service proxy designed for cloud-native
    applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a
    malicious client is able to construct credentials with permanent validity in
    some specific scenarios. This is caused by the some rare scenarios in which HMAC
    payload can be always valid in OAuth2 filter's check. Versions 1.27.0, 1.26.4,
    1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, avoid
    wildcards/prefix domain wildcards in the host's domain configuration.
cves:
    - CVE-2023-35941
references:
    - advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55

The text was updated successfully, but these errors were encountered:

gopherbot · 2023-07-31T20:51:07Z

Change https://go.dev/cl/514636 mentions this issue: data/excluded: batch add 31 excluded reports

neild self-assigned this Jul 31, 2023

neild added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Jul 31, 2023

gopherbot closed this as completed in 2439098 Jul 31, 2023

GoVulnBot mentioned this issue Oct 10, 2023

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-44487 #2106

Closed

GoVulnBot mentioned this issue Apr 10, 2024

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-27919 #2710

Closed

GoVulnBot mentioned this issue Apr 10, 2024

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-30255 #2713

Closed

GoVulnBot mentioned this issue Apr 18, 2024

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-32475 #2735

Closed

GoVulnBot mentioned this issue Jul 1, 2024

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-39305 #2960

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35941 #1966

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35941 #1966

GoVulnBot commented Jul 25, 2023

gopherbot commented Jul 31, 2023

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35941 #1966

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35941 #1966

Comments

GoVulnBot commented Jul 25, 2023

gopherbot commented Jul 31, 2023