Home > Vulnerability Database > CVE-2024-32475

Mend.io Vulnerability Database

CVE-2024-32475

Good to know:

Date: April 18, 2024

Envoy is a cloud-native, open source edge and service proxy. When an upstream TLS cluster is used with `auto_sni` enabled, a request containing a `host`/`:authority` header longer than 255 characters triggers an abnormal termination of Envoy process. Envoy does not gracefully handle an error when setting SNI for outbound TLS connection. The error can occur when Envoy attempts to use the `host`/`:authority` header value longer than 255 characters as SNI for outbound TLS connection. SNI length is limited to 255 characters per the standard. Envoy always expects this operation to succeed and abnormally aborts the process when it fails. This vulnerability is fixed in 1.30.1, 1.29.4, 1.28.3, and 1.27.5.

Language: C++

Severity Score

7.5

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-32475

Url: https://github.com/envoyproxy/envoy/commit/b47fc6648d7c2dfe0093a601d44cb704b7bad382

Url: https://github.com/envoyproxy/envoy/security/advisories/GHSA-3mh5-6q8v-25wj

Url: https://www.mend.io/vulnerability-database/CVE-2024-32475

Severity Score

7.5

Weakness Type (CWE)

Incorrect Check of Function Return Value

CWE-253

Reachable Assertion

CWE-617

Top Fix

Upgrade Version

Upgrade to version v1.27.5,v1.28.3,v1.29.4,v1.30.1

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-32475

Good to know:

Date: April 18, 2024

Language: C++

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?