In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between February 09-10, 2024.
During this period, The National Vulnerability Database published 89, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 4
High: 11
Medium: 23
Low: 8
Severity Not Assigned: 43
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-24820
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 1.7
Impact Score: 6.0
Description: Icinga Director is a tool designed to make Icinga 2 configuration handling easy. Not any of Icinga Director's configuration forms used to manipulate the monitoring environment are protected against cross site request forgery (CSRF). It enables attackers to perform changes in the monitoring environment managed by Icinga Director without the awareness of the victim. Users of the map module in version 1.x, should immediately upgrade to v2.0. The mentioned XSS vulnerabilities in Icinga Web are already fixed as well and upgrades to the most recent release of the 2.9, 2.10 or 2.11 branch must be performed if not done yet. Any later major release is also suitable. Icinga Director will receive minor updates to the 1.8, 1.9, 1.10 and 1.11 branches to remedy this issue. Upgrade immediately to a patched release. If that is not feasible, disable the director module for the time being.
References: https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/
https://github.com/Icinga/icingaweb2-module-director/security/advisories/GHSA-3mwp-5p5v-j6q3
https://github.com/Icinga/icingaweb2/issues?q=is%3Aissue++is%3Aclosed+4979+4960+4947
https://github.com/nbuchwitz/icingaweb2-module-map/pull/86
https://support.apple.com/en-is/guide/safari/sfri11471/16.0
https://www.chromium.org/updates/same-site/
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-24821
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.0
Impact Score: 6.0
Description: Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar's self-update. The following scenarios are of high risk: Composer being run with sudo, Pipelines which may execute Composer on untrusted projects, Shared environments with developers who run Composer individually on the same project. This vulnerability has been addressed in versions 2.7.0 and 2.2.23. It is advised that the patched versions are applied at the earliest convenience. Where not possible, the following should be addressed: Remove all sudo composer privileges for all users to mitigate root privilege escalation, and avoid running Composer within an untrusted directory, or if needed, verify that the contents of `vendor/composer/InstalledVersions.php` and `vendor/composer/installed.php` do not include untrusted code. A reset can also be done on these files by the following:```sh
rm vendor/composer/installed.php vendor/composer/InstalledVersions.php
composer install --no-scripts --no-plugins
```
References: https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5
https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h
CWE-ID: CWE-829
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-24825
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: DIRAC is a distributed resource framework. In affected versions any user could get a token that has been requested by another user/agent. This may expose resources to unintended parties. This issue has been addressed in release version 8.0.37. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/DIRACGrid/DIRAC/commit/f9ddab755b9a69acb85e14d2db851d8ac0c9648c
https://github.com/DIRACGrid/DIRAC/security/advisories/GHSA-59qj-jcjv-662j
CWE-ID: CWE-200
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-45191
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: IBM Engineering Lifecycle Optimization 7.0.2 and 7.0.3 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 268755.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/268755
https://www.ibm.com/support/pages/node/7116045
CWE-ID: CWE-307
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-46687
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description:
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could execute arbitrary commands in root context from a remote computer.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01
https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-51761
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 6.0
Description:
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could bypass authentication and acquire admin capabilities.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01
https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-0842
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to Denial of Service in all versions up to, and including, 1.2.5. This is due to direct access of the backuply/restore_ins.php file and. This makes it possible for unauthenticated attackers to make excessive requests that result in the server running out of resources.
References: https://plugins.trac.wordpress.org/changeset/3033242/backuply/trunk/restore_ins.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/1f955d88-ab4c-4cf4-a23b-91119d412716?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-0229
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: An out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.
References: https://access.redhat.com/errata/RHSA-2024:0320
https://access.redhat.com/errata/RHSA-2024:0557
https://access.redhat.com/errata/RHSA-2024:0558
https://access.redhat.com/errata/RHSA-2024:0597
https://access.redhat.com/errata/RHSA-2024:0607
https://access.redhat.com/errata/RHSA-2024:0614
https://access.redhat.com/errata/RHSA-2024:0617
https://access.redhat.com/errata/RHSA-2024:0621
https://access.redhat.com/errata/RHSA-2024:0626
https://access.redhat.com/errata/RHSA-2024:0629
https://access.redhat.com/security/cve/CVE-2024-0229
https://bugzilla.redhat.com/show_bug.cgi?id=2256690
CWE-ID: CWE-788
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-21762
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests
References: https://fortiguard.com/psirt/FG-IR-24-015
CWE-ID: CWE-787
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-6724
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Authorization Bypass Through User-Controlled Key vulnerability in Software Engineering Consultancy Machine Equipment Limited Company Hearing Tracking System allows Authentication Abuse.This issue affects Hearing Tracking System: before for IOS 7.0, for Android Latest release 1.0.
References: https://www.usom.gov.tr/bildirim/tr-24-0099
CWE-ID: CWE-639
Common Platform Enumerations (CPE): Not Found
11. CVE-2023-6677
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Oduyo Financial Technology Online Collection allows SQL Injection.This issue affects Online Collection: before v.1.0.2.
References: https://www.usom.gov.tr/bildirim/tr-24-0100
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-23322
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Envoy is a high-performance edge/middle/service proxy. Envoy will crash when certain timeouts happen within the same interval. The crash occurs when the following are true: 1. hedge_on_per_try_timeout is enabled, 2. per_try_idle_timeout is enabled (it can only be done in configuration), 3. per-try-timeout is enabled, either through headers or configuration and its value is equal, or within the backoff interval of the per_try_idle_timeout. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/envoyproxy/envoy/commit/843f9e6a123ed47ce139b421c14e7126f2ac685e
https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38
CWE-ID: CWE-416
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-23324
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: Envoy is a high-performance edge/middle/service proxy. External authentication can be bypassed by downstream connections. Downstream clients can force invalid gRPC requests to be sent to ext_authz, circumventing ext_authz checks when failure_mode_allow is set to true. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/envoyproxy/envoy/commit/29989f6cc8bfd8cd2ffcb7c42711eb02c7a5168a
https://github.com/envoyproxy/envoy/security/advisories/GHSA-gq3v-vvhj-96j6
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-23325
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Envoy is a high-performance edge/middle/service proxy. Envoy crashes in Proxy protocol when using an address type that isn’t supported by the OS. Envoy is susceptible to crashing on a host with IPv6 disabled and a listener config with proxy protocol enabled when it receives a request where the client presents its IPv6 address. It is valid for a client to present its IPv6 address to a target server even though the whole chain is connected via IPv4. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/envoyproxy/envoy/commit/bacd3107455b8d387889467725eb72aa0d5b5237
https://github.com/envoyproxy/envoy/security/advisories/GHSA-5m7c-mrwr-pm26
CWE-ID: CWE-248 CWE-755
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-23327
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Envoy is a high-performance edge/middle/service proxy. When PPv2 is enabled both on a listener and subsequent cluster, the Envoy instance will segfault when attempting to craft the upstream PPv2 header. This occurs when the downstream request has a command type of LOCAL and does not have the protocol block. This issue has been addressed in releases 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/envoyproxy/envoy/commit/63895ea8e3cca9c5d3ab4c5c128ed1369969d54a
https://github.com/envoyproxy/envoy/security/advisories/GHSA-4h5x-x9vh-m29j
CWE-ID: CWE-476
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between February 09-10, 2024.
During this period, The National Vulnerability Database published 89, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 4
High: 11
Medium: 23
Low: 8
Severity Not Assigned: 43
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-24820
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 1.7
Impact Score: 6.0
Description: Icinga Director is a tool designed to make Icinga 2 configuration handling easy. Not any of Icinga Director's configuration forms used to manipulate the monitoring environment are protected against cross site request forgery (CSRF). It enables attackers to perform changes in the monitoring environment managed by Icinga Director without the awareness of the victim. Users of the map module in version 1.x, should immediately upgrade to v2.0. The mentioned XSS vulnerabilities in Icinga Web are already fixed as well and upgrades to the most recent release of the 2.9, 2.10 or 2.11 branch must be performed if not done yet. Any later major release is also suitable. Icinga Director will receive minor updates to the 1.8, 1.9, 1.10 and 1.11 branches to remedy this issue. Upgrade immediately to a patched release. If that is not feasible, disable the director module for the time being.
References: https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/
https://github.com/Icinga/icingaweb2-module-director/security/advisories/GHSA-3mwp-5p5v-j6q3
https://github.com/Icinga/icingaweb2/issues?q=is%3Aissue++is%3Aclosed+4979+4960+4947
https://github.com/nbuchwitz/icingaweb2-module-map/pull/86
https://support.apple.com/en-is/guide/safari/sfri11471/16.0
https://www.chromium.org/updates/same-site/
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-24821
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.0
Impact Score: 6.0
Description: Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar's self-update. The following scenarios are of high risk: Composer being run with sudo, Pipelines which may execute Composer on untrusted projects, Shared environments with developers who run Composer individually on the same project. This vulnerability has been addressed in versions 2.7.0 and 2.2.23. It is advised that the patched versions are applied at the earliest convenience. Where not possible, the following should be addressed: Remove all sudo composer privileges for all users to mitigate root privilege escalation, and avoid running Composer within an untrusted directory, or if needed, verify that the contents of `vendor/composer/InstalledVersions.php` and `vendor/composer/installed.php` do not include untrusted code. A reset can also be done on these files by the following:```sh
rm vendor/composer/installed.php vendor/composer/InstalledVersions.php
composer install --no-scripts --no-plugins
```
References: https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5
https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h
CWE-ID: CWE-829
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-24825
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: DIRAC is a distributed resource framework. In affected versions any user could get a token that has been requested by another user/agent. This may expose resources to unintended parties. This issue has been addressed in release version 8.0.37. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/DIRACGrid/DIRAC/commit/f9ddab755b9a69acb85e14d2db851d8ac0c9648c
https://github.com/DIRACGrid/DIRAC/security/advisories/GHSA-59qj-jcjv-662j
CWE-ID: CWE-200
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-45191
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: IBM Engineering Lifecycle Optimization 7.0.2 and 7.0.3 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 268755.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/268755
https://www.ibm.com/support/pages/node/7116045
CWE-ID: CWE-307
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-46687
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description:
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could execute arbitrary commands in root context from a remote computer.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01
https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-51761
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 6.0
Description:
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could bypass authentication and acquire admin capabilities.
References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01
https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-0842
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to Denial of Service in all versions up to, and including, 1.2.5. This is due to direct access of the backuply/restore_ins.php file and. This makes it possible for unauthenticated attackers to make excessive requests that result in the server running out of resources.
References: https://plugins.trac.wordpress.org/changeset/3033242/backuply/trunk/restore_ins.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/1f955d88-ab4c-4cf4-a23b-91119d412716?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-0229
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: An out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.
References: https://access.redhat.com/errata/RHSA-2024:0320
https://access.redhat.com/errata/RHSA-2024:0557
https://access.redhat.com/errata/RHSA-2024:0558
https://access.redhat.com/errata/RHSA-2024:0597
https://access.redhat.com/errata/RHSA-2024:0607
https://access.redhat.com/errata/RHSA-2024:0614
https://access.redhat.com/errata/RHSA-2024:0617
https://access.redhat.com/errata/RHSA-2024:0621
https://access.redhat.com/errata/RHSA-2024:0626
https://access.redhat.com/errata/RHSA-2024:0629
https://access.redhat.com/security/cve/CVE-2024-0229
https://bugzilla.redhat.com/show_bug.cgi?id=2256690
CWE-ID: CWE-788
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-21762
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests
References: https://fortiguard.com/psirt/FG-IR-24-015
CWE-ID: CWE-787
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-6724
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Authorization Bypass Through User-Controlled Key vulnerability in Software Engineering Consultancy Machine Equipment Limited Company Hearing Tracking System allows Authentication Abuse.This issue affects Hearing Tracking System: before for IOS 7.0, for Android Latest release 1.0.
References: https://www.usom.gov.tr/bildirim/tr-24-0099
CWE-ID: CWE-639
Common Platform Enumerations (CPE): Not Found
11. CVE-2023-6677
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Oduyo Financial Technology Online Collection allows SQL Injection.This issue affects Online Collection: before v.1.0.2.
References: https://www.usom.gov.tr/bildirim/tr-24-0100
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-23322
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Envoy is a high-performance edge/middle/service proxy. Envoy will crash when certain timeouts happen within the same interval. The crash occurs when the following are true: 1. hedge_on_per_try_timeout is enabled, 2. per_try_idle_timeout is enabled (it can only be done in configuration), 3. per-try-timeout is enabled, either through headers or configuration and its value is equal, or within the backoff interval of the per_try_idle_timeout. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/envoyproxy/envoy/commit/843f9e6a123ed47ce139b421c14e7126f2ac685e
https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38
CWE-ID: CWE-416
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-23324
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: Envoy is a high-performance edge/middle/service proxy. External authentication can be bypassed by downstream connections. Downstream clients can force invalid gRPC requests to be sent to ext_authz, circumventing ext_authz checks when failure_mode_allow is set to true. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/envoyproxy/envoy/commit/29989f6cc8bfd8cd2ffcb7c42711eb02c7a5168a
https://github.com/envoyproxy/envoy/security/advisories/GHSA-gq3v-vvhj-96j6
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-23325
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Envoy is a high-performance edge/middle/service proxy. Envoy crashes in Proxy protocol when using an address type that isn’t supported by the OS. Envoy is susceptible to crashing on a host with IPv6 disabled and a listener config with proxy protocol enabled when it receives a request where the client presents its IPv6 address. It is valid for a client to present its IPv6 address to a target server even though the whole chain is connected via IPv4. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/envoyproxy/envoy/commit/bacd3107455b8d387889467725eb72aa0d5b5237
https://github.com/envoyproxy/envoy/security/advisories/GHSA-5m7c-mrwr-pm26
CWE-ID: CWE-248 CWE-755
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-23327
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: Envoy is a high-performance edge/middle/service proxy. When PPv2 is enabled both on a listener and subsequent cluster, the Envoy instance will segfault when attempting to craft the upstream PPv2 header. This occurs when the downstream request has a command type of LOCAL and does not have the protocol block. This issue has been addressed in releases 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/envoyproxy/envoy/commit/63895ea8e3cca9c5d3ab4c5c128ed1369969d54a
https://github.com/envoyproxy/envoy/security/advisories/GHSA-4h5x-x9vh-m29j
CWE-ID: CWE-476
Common Platform Enumerations (CPE): Not Found