CVE-2024-45807

EPSS 0.02%
Published 20.09.2024 00:15:02
Last modified 25.09.2024 17:12:38
Source security-advisories@github.com
Teams watchlist Login
Open Login

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's 1.31 is using `oghttp` as the default HTTP/2 codec, and there are potential bugs around stream management in the codec. To resolve this Envoy will switch off the `oghttp2` by default. The impact of this issue is that envoy will crash. This issue has been addressed in release version 1.31.2. All users are advised to upgrade. There are no known workarounds for this issue.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Envoyproxy ≫ Envoy Version >= 1.31.0 < 1.31.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.02%	0.033

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-670 Always-Incorrect Control Flow Implementation

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

https://github.com/envoyproxy/envoy/security/advisories/GHSA-qc52-r4x5-9w37

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-45807

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-45807

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-45807

EUVD