CVE-2023-35944

CVE Details

Release Date:

2023-07-25

Description

Envoy is an open source edge and service proxy designed for cloud-native applications. Envoy allows mixed-case schemes in HTTP/2, however, some internal scheme checks are case-sensitive. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, this can lead to the rejection of requests with mixed-case schemes such as htTp or htTps, or the bypassing of some requests such as https in unencrypted connections. With a fix in versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, Envoy will now lowercase scheme values by default, and change the internal scheme checks that were case-sensitive to be case-insensitive. There are no known workarounds for this issue.

See more information about CVE-2023-35944 from MITRE CVE dictionary and NIST NVD

CVSS v3.0 metrics

NOTE: The following CVSS v3.0 metrics and score provided are preliminary and subject to review.

Base Score:	5.3	Base Metrics:	AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Access Vector:	Network	Attack Complexity:	Low
Privileges Required:	None	User Interaction:	None
Scope:	Unchanged	Confidentiality Impact:	None
Integrity Impact:	Low	Availability Impact:	None

Errata information

Platform	Errata	Release Date
Oracle Linux version 7 (istio)	ELSA-2023-12781	2023-09-08
Oracle Linux version 7 (olcne)	ELSA-2023-12781	2023-09-08
Oracle Linux version 8 (istio)	ELSA-2023-12772	2023-09-11
Oracle Linux version 8 (istio)	ELSA-2023-12780	2023-09-08
Oracle Linux version 8 (kubevirt)	ELSA-2023-12772	2023-09-11
Oracle Linux version 8 (olcne)	ELSA-2023-12772	2023-09-11
Oracle Linux version 8 (olcne)	ELSA-2023-12780	2023-09-08
Oracle Linux version 9 (istio)	ELSA-2023-12771	2023-09-06
Oracle Linux version 9 (kubevirt)	ELSA-2023-12771	2023-09-06
Oracle Linux version 9 (olcne)	ELSA-2023-12771	2023-09-06

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team