CVE-2024-23324 HIGH

CVE-2024-23324: Envoy ext auth can be bypassed when Proxy protocol filter sets invalid UTF-8 metadata

Vendor Envoyproxy

Product envoy

Weakness CWE-20 · Input validation

Published February 9, 2024

Last update August 19, 2024

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Envoy is a high-performance edge/middle/service proxy. External authentication can be bypassed by downstream connections. Downstream clients can force invalid gRPC requests to be sent to ext_authz, circumventing ext_authz checks when failure_mode_allow is set to true. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

February 9, 2024 CVE published

August 19, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-23324 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

Identifiers

CVE CVE-2024-23324

CWE CWE-20

CVSS 8.6 / HIGH

Affected versions

Vendor Envoyproxy

Product envoy

Affected >= 1.29.0, < 1.29.1

Vendor Envoyproxy

Product envoy

Affected >= 1.28.0, < 1.28.1

Vendor Envoyproxy

Product envoy

Affected >= 1.27.0, < 1.27.3

Vendor Envoyproxy

Product envoy

Affected < 1.26.7

CVE-2024-23324: Envoy ext auth can be bypassed when Proxy protocol filter sets invalid UTF-8 metadata

01Description

02Disclosure timeline

03References

04Related CVE