Vulnerability DatabaseCVE-2022-23606
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2022-23606
February 22, 2022
Envoy is an open source edge and service proxy, designed for cloud-native applications. When a cluster is deleted via Cluster Discovery Service (CDS) all idle connections established to endpoints in that cluster are disconnected. A recursion was introduced in the procedure of disconnecting idle connections that can lead to stack exhaustion and abnormal process termination when a cluster has a large number of idle connections. This infinite recursion causes Envoy to crash. Users are advised to upgrade.
Related Resources (4)
https://github.com/envoyproxy/envoy/commit/4b6dd3b53cd5c6d4d4df378a2fc62c1707522b31
https://github.com/envoyproxy/envoy/security/advisories/GHSA-9vp2-4cp7-vvxf
https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23606.json
https://nvd.nist.gov/vuln/detail/CVE-2022-23606
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.9
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.4
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
CVSS v2
Base Score:
4
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
Weakness Type (CWE)
Uncontrolled Recursion
CWE-674
EPSS
Base Score:
0.10