Skip to content

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2019-18801 #2247

Closed
@tatianab

Description

@tatianab

CVE-2019-18801 references github.com/envoyproxy/envoy, which may be a Go module.

Description:
An issue was discovered in Envoy 1.12.0. An untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1. This may be used to corrupt nearby heap contents (leading to a query-of-death scenario) or may be used to bypass Envoy's access control mechanisms such as path based routing. An attacker can also modify requests from other users that happen to be proximal temporally and spatially.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/envoyproxy/envoy
      vulnerable_at: 1.28.0
      packages:
        - package: n/a
cves:
    - CVE-2019-18801
references:
    - fix: https://github.com/envoyproxy/envoy/commits/master
    - web: https://groups.google.com/forum/#!forum/envoy-users
    - web: https://blog.envoyproxy.io
    - advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-gxvv-x4p2-rppp
    - web: https://access.redhat.com/errata/RHSA-2019:4222

Metadata

Metadata

Assignees

No one assigned

    Labels

    excluded: LEGACY_FALSE_POSITIVE(DO NOT USE) Vulnerability marked as false positive before we introduced the triage process

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions