Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c_str() evaluates it, implicit conversion to absl::string_view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config_san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
oryginał ENCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:NEnvoyproxy Envoy
APPEnvoyproxy< 1.35.131.36.0 – 1.36.9 (bez)1.37.0 – 1.37.5 (bez)1.38.0 – 1.38.3 (bez)
Powiązane podatności
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation do...
An issue was discovered in Envoy 1.12.0. An untrusted remote client may send HTTP/2 requests that write to the...
An issue was discovered in Envoy 1.12.0. An untrusted remote client may send an HTTP header (such as Host) wit...
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can ...
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37....