x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-23322 #2542

GoVulnBot · 2024-02-10T00:01:31Z

CVE-2024-23322 references github.com/envoyproxy/envoy, which may be a Go module.

Description:
Envoy is a high-performance edge/middle/service proxy. Envoy will crash when certain timeouts happen within the same interval. The crash occurs when the following are true: 1. hedge_on_per_try_timeout is enabled, 2. per_try_idle_timeout is enabled (it can only be done in configuration), 3. per-try-timeout is enabled, either through headers or configuration and its value is equal, or within the backoff interval of the per_try_idle_timeout. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References:

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-23322
JSON: https://github.com/CVEProject/cvelist/tree/a7e213dcc7f8ba1a4bf1befb1e58b0918b95abae/2024/23xxx/CVE-2024-23322.json
advisory: GHSA-6p83-mfmh-qv38
fix: envoyproxy/envoy@843f9e6
Imported by: https://pkg.go.dev/github.com/envoyproxy/envoy?tab=importedby

Cross references:

Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43824 #330 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43825 #331 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43826 #332 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21654 #333 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21655 #334 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21656 #335 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21657 #336 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-23606 #337 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29224 #484 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29225 #485 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29226 #486 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29227 #487 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29228 #488 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27487 #1690 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27488 #1691 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27491 #1692 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27492 #1693 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27493 #1694 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27496 #1695 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35945 #1917 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: GHSA-2wmf-p7f8-w42h #1921 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35941 #1966 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35942 #1968 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35943 #1969 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35944 #1970 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-44487 #2106 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2019-15226 #2242 LEGACY_FALSE_POSITIVE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2019-18801 #2247 LEGACY_FALSE_POSITIVE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2019-18802 #2248 LEGACY_FALSE_POSITIVE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2019-18836 #2249 LEGACY_FALSE_POSITIVE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2019-18838 #2250 LEGACY_FALSE_POSITIVE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2019-9900 #2260 LEGACY_FALSE_POSITIVE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-12603 #2273 LEGACY_FALSE_POSITIVE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-12604 #2274 LEGACY_FALSE_POSITIVE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-12605 #2275 LEGACY_FALSE_POSITIVE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-15104 #2279 LEGACY_FALSE_POSITIVE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-25017 #2291 LEGACY_FALSE_POSITIVE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-25018 #2292 LEGACY_FALSE_POSITIVE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-35470 #2301 LEGACY_FALSE_POSITIVE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-35471 #2302 LEGACY_FALSE_POSITIVE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-8659 #2307 LEGACY_FALSE_POSITIVE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-8660 #2308 LEGACY_FALSE_POSITIVE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-8661 #2309 LEGACY_FALSE_POSITIVE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-8663 #2310 LEGACY_FALSE_POSITIVE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-8664 #2311 LEGACY_FALSE_POSITIVE

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/envoyproxy/envoy
      vulnerable_at: 1.29.0
      packages:
        - package: envoy
cves:
    - CVE-2024-23322
references:
    - advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38
    - fix: https://github.com/envoyproxy/envoy/commit/843f9e6a123ed47ce139b421c14e7126f2ac685e

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-02-29T01:18:00Z

Change https://go.dev/cl/568036 mentions this issue: data/excluded: batch add 23 excluded reports

neild self-assigned this Feb 28, 2024

neild added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Feb 28, 2024

gopherbot closed this as completed in 8bed429 Feb 29, 2024

This was referenced Apr 10, 2024

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-27919 #2710

Closed

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-30255 #2713

Closed

GoVulnBot mentioned this issue Apr 18, 2024

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-32475 #2735

Closed

GoVulnBot mentioned this issue Jul 1, 2024

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-39305 #2960

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-23322 #2542

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-23322 #2542

GoVulnBot commented Feb 10, 2024

gopherbot commented Feb 29, 2024

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-23322 #2542

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-23322 #2542

Comments

GoVulnBot commented Feb 10, 2024

gopherbot commented Feb 29, 2024