CVE-2022-21654 HIGH

CVE-2022-21654: Incorrect configuration handling allows TLS session re-use without re-validation in Envoy

Vendor Envoyproxy
Product envoy
Weakness CWE-295
Published February 22, 2022
Last update April 23, 2025

CVSS base score

7.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade.

Key dates

02Disclosure timeline

February 22, 2022 CVE published
April 23, 2025 Record updated