Home > Vulnerability Database > CVE-2024-53270

Mend.io Vulnerability Database

CVE-2024-53270

Date: December 18, 2024

Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions "sendOverloadError" is going to assume the active request exists when "envoy.load_shed_points.http1_server_abort_dispatch" is configured. If "active_request" is nullptr, only onMessageBeginImpl() is called. However, the "onMessageBeginImpl" will directly return ok status if the stream is already reset leading to the nullptr reference. The downstream reset can actually happen during the H/2 upstream reset. As a result envoy may crash. This issue has been addressed in releases 1.32.3, 1.31.5, 1.30.9, and 1.29.12. Users are advised to upgrade. Users unable to upgrade may disable "http1_server_abort_dispatch" load shed point and/or use a high threshold.

Language: C++

Severity Score

7.5

Related Resources (4)

Url: https://github.com/envoyproxy/envoy/pull/37743/commits/6cf8afda956ba67c9afad185b962325a5242ef02

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-53270

Url: https://github.com/envoyproxy/envoy/security/advisories/GHSA-q9qv-8j52-77p3

Url: https://www.mend.io/vulnerability-database/CVE-2024-53270

Severity Score

7.5

Weakness Type (CWE)

Always-Incorrect Control Flow Implementation

CWE-670

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-53270

Date: December 18, 2024

Language: C++

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?