Home > Vulnerability Database > CVE-2024-23322

Mend.io Vulnerability Database

CVE-2024-23322

Good to know:

Date: February 9, 2024

Envoy is a high-performance edge/middle/service proxy. Envoy will crash when certain timeouts happen within the same interval. The crash occurs when the following are true: 1. hedge_on_per_try_timeout is enabled, 2. per_try_idle_timeout is enabled (it can only be done in configuration), 3. per-try-timeout is enabled, either through headers or configuration and its value is equal, or within the backoff interval of the per_try_idle_timeout. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: C++

Severity Score

7.5

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-23322

Url: https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38

Url: https://github.com/envoyproxy/envoy/commit/843f9e6a123ed47ce139b421c14e7126f2ac685e

Url: https://www.mend.io/vulnerability-database/CVE-2024-23322

Severity Score

7.5

Weakness Type (CWE)

Use After Free

CWE-416

Top Fix

Upgrade Version

Upgrade to version v1.26.7,v1.27.3,v1.28.1,v1.29.1

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-23322

Good to know:

Date: February 9, 2024

Language: C++

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?