CVE-2023-35944

CVE Details

Release Date:	2023-07-25
Impact:	None	What is this?

Description

Envoy is an open source edge and service proxy designed for cloud-native applications. Envoy allows mixed-case schemes in HTTP/2, however, some internal scheme checks are case-sensitive. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, this can lead to the rejection of requests with mixed-case schemes such as htTp or htTps, or the bypassing of some requests such as https in unencrypted connections. With a fix in versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, Envoy will now lowercase scheme values by default, and change the internal scheme checks that were case-sensitive to be case-insensitive. There are no known workarounds for this issue.

See more information about CVE-2023-35944 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	5.3
Vector String:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Version:	3.0
Attack Vector:	Network
Attack Complexity:	Low
Privileges Required:	None
User Interaction:	None
Scope:	Unchanged
Confidentiality Impact:	None
Integrity Impact:	Low
Availability Impact:	None

Errata information

Platform	Errata	Release Date
Oracle Linux version 7 (istio)	ELSA-2023-12781	2023-09-08
Oracle Linux version 7 (olcne)	ELSA-2023-12781	2023-09-08
Oracle Linux version 8 (istio)	ELSA-2023-12772	2023-09-11
Oracle Linux version 8 (istio)	ELSA-2023-12780	2023-09-08
Oracle Linux version 8 (kubevirt)	ELSA-2023-12772	2023-09-11
Oracle Linux version 8 (olcne)	ELSA-2023-12772	2023-09-11
Oracle Linux version 8 (olcne)	ELSA-2023-12780	2023-09-08
Oracle Linux version 9 (istio)	ELSA-2023-12771	2023-09-06
Oracle Linux version 9 (kubevirt)	ELSA-2023-12771	2023-09-06
Oracle Linux version 9 (olcne)	ELSA-2023-12771	2023-09-06