FKIE_CVE-2024-32475

Vulnerability from fkie_nvd - Published: 2024-04-18 15:15 - Updated: 2025-09-04 19:39
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Envoy is a cloud-native, open source edge and service proxy. When an upstream TLS cluster is used with `auto_sni` enabled, a request containing a `host`/`:authority` header longer than 255 characters triggers an abnormal termination of Envoy process. Envoy does not gracefully handle an error when setting SNI for outbound TLS connection. The error can occur when Envoy attempts to use the `host`/`:authority` header value longer than 255 characters as SNI for outbound TLS connection. SNI length is limited to 255 characters per the standard. Envoy always expects this operation to succeed and abnormally aborts the process when it fails. This vulnerability is fixed in 1.30.1, 1.29.4, 1.28.3, and 1.27.5.
References
security-advisories@github.comhttps://github.com/envoyproxy/envoy/commit/b47fc6648d7c2dfe0093a601d44cb704b7bad382Patch
security-advisories@github.comhttps://github.com/envoyproxy/envoy/security/advisories/GHSA-3mh5-6q8v-25wjPatch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/envoyproxy/envoy/commit/b47fc6648d7c2dfe0093a601d44cb704b7bad382Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/envoyproxy/envoy/security/advisories/GHSA-3mh5-6q8v-25wjPatch, Vendor Advisory
Impacted products
Vendor Product Version
envoyproxy envoy *
envoyproxy envoy *
envoyproxy envoy *
envoyproxy envoy 1.30.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C14D25B6-21FA-458F-AE81-49C261C9E6B0",
              "versionEndExcluding": "1.27.5",
              "versionStartIncluding": "1.13.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C4ECE390-0C15-4C94-AA80-1DAA7479ADA5",
              "versionEndExcluding": "1.28.3",
              "versionStartIncluding": "1.28.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BDB6B9D8-64C1-48CD-9AB1-38364D93AAEE",
              "versionEndExcluding": "1.29.4",
              "versionStartIncluding": "1.29.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:envoyproxy:envoy:1.30.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "063805F2-0BF6-4527-A383-0EC37C5FE4D2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Envoy is a cloud-native, open source edge and service proxy. When an upstream TLS cluster is used with `auto_sni` enabled, a request containing a `host`/`:authority` header longer than 255 characters triggers an abnormal termination of Envoy process. Envoy does not gracefully handle an error when setting SNI for outbound TLS connection. The error can occur when Envoy attempts to use the `host`/`:authority` header value longer than 255 characters as SNI for outbound TLS connection. SNI length is limited to 255 characters per the standard. Envoy always expects this operation to succeed and abnormally aborts the process when it fails. This vulnerability is fixed in 1.30.1, 1.29.4, 1.28.3, and 1.27.5.\n"
    },
    {
      "lang": "es",
      "value": "Envoy es un proxy de servicio y borde de c\u00f3digo abierto, nativo de la nube. Cuando se utiliza un cl\u00faster TLS ascendente con `auto_sni` habilitado, una solicitud que contiene un encabezado `host`/`:authority` de m\u00e1s de 255 caracteres desencadena una terminaci\u00f3n anormal del proceso de Envoy. Envoy no maneja correctamente un error al configurar SNI para la conexi\u00f3n TLS saliente. El error puede ocurrir cuando Envoy intenta usar el valor del encabezado `host`/`:authority` de m\u00e1s de 255 caracteres como SNI para la conexi\u00f3n TLS saliente. La longitud del SNI est\u00e1 limitada a 255 caracteres seg\u00fan el est\u00e1ndar. Envoy siempre espera que esta operaci\u00f3n tenga \u00e9xito y aborta el proceso de forma anormal cuando falla. Esta vulnerabilidad se solucion\u00f3 en 1.30.1, 1.29.4, 1.28.3 y 1.27.5."
    }
  ],
  "id": "CVE-2024-32475",
  "lastModified": "2025-09-04T19:39:08.140",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-04-18T15:15:30.670",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/envoyproxy/envoy/commit/b47fc6648d7c2dfe0093a601d44cb704b7bad382"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-3mh5-6q8v-25wj"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/envoyproxy/envoy/commit/b47fc6648d7c2dfe0093a601d44cb704b7bad382"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-3mh5-6q8v-25wj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-253"
        },
        {
          "lang": "en",
          "value": "CWE-617"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.