CVE-2023-35942

CVSS v3.1 6.5 (Medium)

EPSS 0.07 % (31^th)

Affected Products 1

Advisories 4

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, gRPC access loggers using listener's global scope can cause a use-after-free crash when the listener is drained. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, disable gRPC access log or stop listener update.

Weaknesses

CWE-416: Use After Free

CVE Status: PUBLISHED
CNA: GitHub, Inc.
Published Date: 2023-07-25 19:15:11
(14 months ago)
Updated Date: 2023-08-02 18:36:02
(13 months ago)

Affected Products

Envoyproxy

Envoy

Configuration #1

	CPE23	From	Up To
Envoyproxy Envoy from 1.23.0 version and prior 1.23.12 version	cpe:2.3:a:envoyproxy:envoy	>= 1.23.0	< 1.23.12
Envoyproxy Envoy from 1.24.0 version and prior 1.24.10 version	cpe:2.3:a:envoyproxy:envoy	>= 1.24.0	< 1.24.10
Envoyproxy Envoy from 1.25.0 version and prior 1.25.9 version	cpe:2.3:a:envoyproxy:envoy	>= 1.25.0	< 1.25.9
Envoyproxy Envoy from 1.26.0 version and prior 1.26.4 version	cpe:2.3:a:envoyproxy:envoy	>= 1.26.0	< 1.26.4