1. Home
  2. CVE Database
  3. CVE-2023-35943
MEDIUM · 6.3

CVE-2023-35943

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, the CORS filter will segfault and crash Envoy whe...

Vulnerability Description

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, the CORS filter will segfault and crash Envoy when the `origin` header is removed and deleted between `decodeHeaders`and `encodeHeaders`. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, do not remove the `origin` header in the Envoy configuration.

CVSS Score

6.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
HIGH

Affected Products

VendorProductVersions
EnvoyproxyEnvoy>= 1.23.0, < 1.23.12

Related Weaknesses (CWE)

CWE-416

References

FAQ

What is CVE-2023-35943?

CVE-2023-35943 is a vulnerability with a CVSS score of 6.3 (MEDIUM). Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, the CORS filter will segfault and crash Envoy whe...

How severe is CVE-2023-35943?

CVE-2023-35943 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-35943?

Check the references section above for vendor advisories and patch information. Affected products include: Envoyproxy Envoy.