ContextQMD
Back to Istio Io

ISTIO-SECURITY-2023-001

content/en/news/security/istio-security-2023-001/index.md

latest1.3 KB
Original Source

{{< security_bulletin >}}

CVE

Envoy CVEs

  • CVE-2023-27487: (CVSS Score 8.2, High): Client may fake the header x-envoy-original-path.

  • CVE-2023-27488: (CVSS Score 5.4, Moderate): gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received.

  • CVE-2023-27491: (CVSS Score 5.4, Moderate): Envoy forwards invalid HTTP/2 and HTTP/3 downstream headers.

  • CVE-2023-27492: (CVSS Score 4.8, Moderate): Crash when a large request body is processed in Lua filter.

  • CVE-2023-27493: (CVSS Score 8.1, High): Envoy doesn't escape HTTP header values.

  • CVE-2023-27496: (CVSS Score 6.5, Moderate): Crash when a redirect url without a state parameter is received in the OAuth filter.

Am I Impacted?

You may be at risk if you have an Istio gateway or if you use external istiod.