Versions
>= 1.7.0, < 1.18.6
>= 1.30.0, < 1.30.4
>= 1.30.0, <= 11.30.1
>= 1.29.0, < 1.29.3
>= 1.21.0, < 1.21.1
< 1.29.12
1.29.4
>= 1.29.0, < 1.29.9
>= 1.24.0, < 1.24.9
>= 1.31.2, < 1.31.2
>= 1.13.0, < 1.27.5
= 1.17.0
< 1.12.6
>= 1.19.0, < 1.19.1
>= 1.25.0, < 1.25.9
<= 1.18.2
>= 1.28.0, < 1.28.3
>= 1.29.0, < 1.29.4
>= 1.28.0, < 1.28.1
<= 1.27.5
1.13.0
1.27.5
1.28.3
>= 1.28.0, < 1.28.2
>= 1.25.0, < 1.25.3
1.30.0
1.27.0
>= 1.32.0, < 1.32.2
< 1.20.2
>= 1.26.0, < 1.26.4
< 1.26.8
>= 1.30.0, < 1.30.6
>= 1.17.0, < 1.17.4
>= 1.18.0, < 1.18.4
< 1.18.6
>= 1.27.0, < 1.27.4
>= 1.28.0, < 1.28.5
>= 1.13.0, <= 1.30.1
>= 1.29.0, < 1.29.2
< 1.22.1
>= 1.30.0, < 11.30.1
< 1.28.7
>= 1.16.0, < 1.16.5
> 1.18.0, <= 1.27.5
1.28.0
>= 1.13.0, < 1.13.4
>= 1.25.0, < 1.25.8
>= 1.20.0, < 1.20.2
>= 1.23.0, < 1.23.6
1.18.0
< 1.26.7
>= 1.26.0, < 1.26.3
>= 1.31.0, < 1.31.5
>= 1.29.0, < 1.29.1
< 1.27.7
1.30.1
>= 1.19.0, < 1.19.3
1.29.0
< 1.23.12
>= 1.31.0, < 1.31.4
>= 1.25.0, <1.25.3
>= 1.24.0, < 1.24.10
>= 1.14.0, < 1.14.4
0
1.31.0
>= 1.32.0, < 1.32.3
< 1.22.9
>= 1.30.0, < 1.30.9
>= 1.31.0, < 1.31.2
>= 1.30.0, < 1.30.8
>= 1.23.0, < 1.23.11
>= 1.24.0, < 1.24.4
>= 1.28.0, <= 1.28.3
>= 1.27.0, < 1.27.3
>= 1.29.0, <= 1.29.4
>= 1.29.0, < 1.29.7
Recent CVEs
CVE-2024-53271
Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions envoy does not properly handle http 1.1 non-101 1xx responses. This can lead to downstream failures in networked devices. This issue has been addressed in versions 1.31.5 and 1.32.3. Users are advised to upgrade. There are no known workarounds for this issue.
CVE-2024-53270
Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions `sendOverloadError` is going to assume the active request exists when `envoy.load_shed_points.http1_server_abort_dispatch` is configured. If `active_request` is nullptr, only onMessageBeginImpl() is called. However, the `onMessageBeginImpl` will directly return ok status if the stream is already reset leading to the nullptr reference. The downstream reset can actually happen during the H/2 upstream reset. As a result envoy may crash. This issue has been addressed in releases 1.32.3, 1.31.5, 1.30.9, and 1.29.12. Users are advised to upgrade. Users unable to upgrade may disable `http1_server_abort_dispatch` load shed point and/or use a high threshold.
CVE-2024-53269
Envoy is a cloud-native high-performance edge/middle/service proxy. When additional address are not ip addresses, then the Happy Eyeballs sorting algorithm will crash in data plane. This issue has been addressed in releases 1.32.2, 1.31.4, and 1.30.8. Users are advised to upgrade. Users unable to upgrade may disable Happy Eyeballs and/or change the IP configuration.
CVE-2024-39305
Envoy is a cloud-native, open source edge and service proxy. Prior to versions 1.30.4, 1.29.7, 1.28.5, and 1.27.7. Envoy references already freed memory when route hash policy is configured with cookie attributes. Note that this vulnerability has been fixed in the open as the effect would be immediately apparent if it was configured. Memory allocated for holding attribute values is freed after configuration was parsed. During request processing Envoy will attempt to copy content of de-allocated memory into request cookie header. This can lead to arbitrary content of Envoy's memory to be sent to the upstream service or abnormal process termination. This vulnerability is fixed in Envoy versions v1.30.4, v1.29.7, v1.28.5, and v1.27.7. As a workaround, do not use cookie attributes in route action hash policy.
CVE-2024-32975
Envoy is a cloud-native, open source edge and service proxy. There is a crash at `QuicheDataReader::PeekVarInt62Length()`. It is caused by integer underflow in the `QuicStreamSequencerBuffer::PeekRegion()` implementation.
CVE-2024-32976
Envoy is a cloud-native, open source edge and service proxy. Envoyproxy with a Brotli filter can get into an endless loop during decompression of Brotli data with extra input.
CVE-2024-23324
Envoy is a high-performance edge/middle/service proxy. External authentication can be bypassed by downstream connections. Downstream clients can force invalid gRPC requests to be sent to ext_authz, circumventing ext_authz checks when failure_mode_allow is set to true. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-23325
Envoy is a high-performance edge/middle/service proxy. Envoy crashes in Proxy protocol when using an address type that isn’t supported by the OS. Envoy is susceptible to crashing on a host with IPv6 disabled and a listener config with proxy protocol enabled when it receives a request where the client presents its IPv6 address. It is valid for a client to present its IPv6 address to a target server even though the whole chain is connected via IPv4. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.