4.3
CVE-2025-0754
- EPSS 0.22%
- Veröffentlicht 28.01.2025 10:15:09
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Envoyproxy: openshift service mesh 2.6.3 and 2.5.6 envoy header handling allows log injection and potential spoofing
The vulnerability was found in OpenShift Service Mesh 2.6.3 and 2.5.6. This issue occurs due to improper sanitization of HTTP headers by Envoy, particularly the x-forwarded-for header. This lack of sanitization can allow attackers to inject malicious payloads into service mesh logs, leading to log injection and spoofing attacks. Such injections can mislead logging mechanisms, enabling attackers to manipulate log entries or execute reflected cross-site scripting (XSS) attacks.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Collection URLhttps://github.com/openshift-service-mesh/proxy
≫
Paket
envoyproxy
Default Statusunaffected
Version
2.6.3
Status
affected
Version
2.5.6
Status
affected
HerstellerRed Hat
≫
Produkt
OpenShift Service Mesh 2
Default Statusaffected
HerstellerRed Hat
≫
Produkt
OpenShift Service Mesh 2
Default Statusaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.22% | 0.445 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
|
CWE-117 Improper Output Neutralization for Logs
The product does not neutralize or incorrectly neutralizes output that is written to logs.