-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-32475 #2735
Labels
excluded: NOT_GO_CODE
This vulnerability does not refer to a Go module.
Comments
tatianab
added
excluded: NOT_GO_CODE
This vulnerability does not refer to a Go module.
and removed
possibly not Go
labels
Jun 5, 2024
Change https://go.dev/cl/590855 mentions this issue: |
This was referenced Jun 7, 2024
This was referenced Sep 20, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2024-32475 references github.com/envoyproxy/envoy, which may be a Go module.
Description:
Envoy is a cloud-native, open source edge and service proxy. When an upstream TLS cluster is used with
auto_sni
enabled, a request containing ahost
/:authority
header longer than 255 characters triggers an abnormal termination of Envoy process. Envoy does not gracefully handle an error when setting SNI for outbound TLS connection. The error can occur when Envoy attempts to use thehost
/:authority
header value longer than 255 characters as SNI for outbound TLS connection. SNI length is limited to 255 characters per the standard. Envoy always expects this operation to succeed and abnormally aborts the process when it fails. This vulnerability is fixed in 1.30.1, 1.29.4, 1.28.3, and 1.27.5.References:
Cross references:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: