x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27492

CVE-2023-27492 references [github.com/envoyproxy/envoy](https://github.com/envoyproxy/envoy), which may be a Go module.

Description:
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the Lua filter is vulnerable to denial of service. Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes. As of versions versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy no longer invokes the Lua coroutine if the filter has been reset. As a workaround for those whose Lua filter is buffering all requests/ responses, mitigate by using the buffer filter to avoid triggering the local reply in the Lua filter.

References:
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-27492
- JSON: https://github.com/CVEProject/cvelist/tree/e23d1517acf05c0763a151c5a53ed073e6428f36/2023/27xxx/CVE-2023-27492.json
- advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-wpc2-2jp6-ppg2
- Imported by: https://pkg.go.dev/github.com/envoyproxy/envoy?tab=importedby

Cross references:
- Module github.com/envoyproxy/envoy appears in issue #330  NOT_GO_CODE
- Module github.com/envoyproxy/envoy appears in issue #331  NOT_GO_CODE
- Module github.com/envoyproxy/envoy appears in issue #332  NOT_GO_CODE
- Module github.com/envoyproxy/envoy appears in issue #333  NOT_GO_CODE
- Module github.com/envoyproxy/envoy appears in issue #334  NOT_GO_CODE
- Module github.com/envoyproxy/envoy appears in issue #335  NOT_GO_CODE
- Module github.com/envoyproxy/envoy appears in issue #336  NOT_GO_CODE
- Module github.com/envoyproxy/envoy appears in issue #337  NOT_GO_CODE
- Module github.com/envoyproxy/envoy appears in issue #484  NOT_GO_CODE
- Module github.com/envoyproxy/envoy appears in issue #485  NOT_GO_CODE
- Module github.com/envoyproxy/envoy appears in issue #486  NOT_GO_CODE
- Module github.com/envoyproxy/envoy appears in issue #487  NOT_GO_CODE
- Module github.com/envoyproxy/envoy appears in issue #488  NOT_GO_CODE


See [doc/triage.md](https://github.com/golang/vulndb/blob/master/doc/triage.md) for instructions on how to triage this report.

```
modules:
  - module: github.com/envoyproxy/envoy
    packages:
      - package: envoy
description: |
    Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the Lua filter is vulnerable to denial of service. Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes. As of versions versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy no longer invokes the Lua coroutine if the filter has been reset. As a workaround for those whose Lua filter is buffering all requests/ responses, mitigate by using the buffer filter to avoid triggering the local reply in the Lua filter.
cves:
  - CVE-2023-27492
references:
  - advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-wpc2-2jp6-ppg2

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27492 #1693

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27492 #1693

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions