CVE-2024-32475

HIGH Year: 2024
CVSS v3 Score
7.5
High
Weakness Type
CWE-253
View all →

Vulnerability Description

Envoy is a cloud-native, open source edge and service proxy. When an upstream TLS cluster is used with `auto_sni` enabled, a request containing a `host`/`:authority` header longer than 255 characters triggers an abnormal termination of Envoy process. Envoy does not gracefully handle an error when setting SNI for outbound TLS connection. The error can occur when Envoy attempts to use the `host`/`:authority` header value longer than 255 characters as SNI for outbound TLS connection. SNI length is limited to 255 characters per the standard. Envoy always expects this operation to succeed and abnormally aborts the process when it fails. This vulnerability is fixed in 1.30.1, 1.29.4, 1.28.3, and 1.27.5.

Related Vulnerabilities

CVE-2023-49286

HIGH
CVSS:7.5(High)

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Incorrect Check of Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper ...

CWE-2532023

CVE-2024-1622

HIGH
CVSS:7.5(High)

Due to a mistake in error checking, Routinator will terminate when an incoming RTR connection is reset by the peer too quickly after opening.

CWE-2532024

CVE-2017-7474

CRITICAL
CVSS:9.8(Critical)

It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or...

CWE-2532017

CVE-2023-4501

CRITICAL
CVSS:9.8(Critical)

User authentication with username and password credentials is ineffective in OpenText (Micro Focus) Visual COBOL, COBOL Server, Enterprise Developer, and Enterprise Server (including product variants ...

CWE-2532023