Vulnerability Description
Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Envoyproxy | Envoy | >= 1.7.0, < 1.18.6 |
Related Weaknesses (CWE)
References
- https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316PatchThird Party Advisory
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283Issue TrackingThird Party Advisory
- https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316PatchThird Party Advisory
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283Issue TrackingThird Party Advisory
FAQ
What is CVE-2022-21654?
CVE-2022-21654 is a vulnerability with a CVSS score of 7.4 (HIGH). Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The ...
How severe is CVE-2022-21654?
CVE-2022-21654 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-21654?
Check the references section above for vendor advisories and patch information. Affected products include: Envoyproxy Envoy.