Back to bug 2217977
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Guilherme de Almeida Suckevicz | 2023-06-27 18:24:24 UTC | CC | security-response-team | |
| Anten Skrabec | 2023-06-27 19:41:20 UTC | Doc Text | A flaw was found in envoy where a malicious client is able to construct credentials with permanent validity in some specific scenario. This is caused by some rare scenarios, like the combination of host and expire time, in which HMAC payload can be always valid in OAuth2 filter's HMAC check. | |
| Anten Skrabec | 2023-06-27 19:49:14 UTC | Fixed In Version | envoy 1.26.3, envoy 1.25.8, envoy 1.24.9, envoy 1.23.11 | |
| Anten Skrabec | 2023-06-27 20:04:52 UTC | Summary | EMBARGOED TRIAGE envoy: OAuth2 credentials exploit with permanent validity | EMBARGOED envoy: OAuth2 credentials exploit with permanent validity |
| Chess Hazlett | 2023-07-06 21:54:15 UTC | Alias | CVE-2023-35941 | |
| Summary | EMBARGOED envoy: OAuth2 credentials exploit with permanent validity | EMBARGOED CVE-2023-35941 envoy: OAuth2 credentials exploit with permanent validity | ||
| Red Hat Bugzilla | 2023-07-06 21:54:15 UTC | CC | security-response-team | |
| Red Hat Bugzilla | 2023-07-07 08:28:14 UTC | CC | security-response-team | |
| Assignee | security-response-team | nobody | ||
| RaTasha Tillery-Smith | 2023-07-07 12:27:44 UTC | Doc Text | A flaw was found in envoy where a malicious client is able to construct credentials with permanent validity in some specific scenario. This is caused by some rare scenarios, like the combination of host and expire time, in which HMAC payload can be always valid in OAuth2 filter's HMAC check. | A flaw was found in envoy, where a malicious client can construct credentials with permanent validity in a specific scenario. This issue is caused by some rare scenarios, such as the combination of host and expiration time, in which the HMAC payload can always be valid in the OAuth2 filter's HMAC check. |
| RaTasha Tillery-Smith | 2023-07-07 12:32:26 UTC | Doc Text | A flaw was found in envoy, where a malicious client can construct credentials with permanent validity in a specific scenario. This issue is caused by some rare scenarios, such as the combination of host and expiration time, in which the HMAC payload can always be valid in the OAuth2 filter's HMAC check. | A flaw was found in Envoy, where a malicious client can construct credentials with permanent validity in a specific scenario. This issue is caused by some rare scenarios, such as the combination of host and expiration time, in which the HMAC payload can always be valid in the OAuth2 filter's HMAC check. |
| Anten Skrabec | 2023-07-11 22:34:11 UTC | Deadline | 2023-07-18 | 2023-07-25 |
| Anten Skrabec | 2023-07-26 16:33:46 UTC | Group | security, qe_staff | |
| Summary | EMBARGOED CVE-2023-35941 envoy: OAuth2 credentials exploit with permanent validity | CVE-2023-35941 envoy: OAuth2 credentials exploit with permanent validity | ||
| Deadline | 2023-07-25 | |||
| errata-xmlrpc | 2023-08-11 16:48:17 UTC | Link ID | Red Hat Product Errata RHSA-2023:4624 | |
| errata-xmlrpc | 2023-08-11 16:49:03 UTC | Link ID | Red Hat Product Errata RHSA-2023:4625 | |
| Product Security DevOps Team | 2023-08-11 21:32:47 UTC | Status | NEW | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2023-08-11 21:32:47 UTC |
Back to bug 2217977