Bug 2259231 (CVE-2024-23324)
| Summary: | CVE-2024-23324 envoy: Ext auth can be bypassed when Proxy protocol filter sets invalid UTF-8 metadata | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Patrick Del Bello <pdelbell> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | jwendell, rcernich, security-response-team, twalsh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | envoy 1.29.1, envoy 1.28.1, envoy 1.27.3, envoy 1.26.7 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the Envoy proxy. External authentication can be bypassed by downstream connections that use the PROXY protocol. Downstream clients can force invalid gRPC requests to send to ext_authz, circumventing ext_authz checks when failure_mode_allow is set to true.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2259221 | ||
|
Description
Patrick Del Bello
2024-01-19 16:25:52 UTC
|