CVE-2024-45807 — HIGH (7.5)

Q: How severe is CVE-2024-45807?

CVE-2024-45807 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-45807?

Check the references section above for vendor advisories and patch information. Affected products include: Envoyproxy Envoy.

Vulnerability Description

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's 1.31 is using `oghttp` as the default HTTP/2 codec, and there are potential bugs around stream management in the codec. To resolve this Envoy will switch off the `oghttp2` by default. The impact of this issue is that envoy will crash. This issue has been addressed in release version 1.31.2. All users are advised to upgrade. There are no known workarounds for this issue.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Envoyproxy	Envoy	>= 1.31.0, < 1.31.2

Related Weaknesses (CWE)

CWE-670

References

https://github.com/envoyproxy/envoy/security/advisories/GHSA-qc52-r4x5-9w37Vendor Advisory

FAQ

What is CVE-2024-45807?

CVE-2024-45807 is a vulnerability with a CVSS score of 7.5 (HIGH). Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's 1.31 is using `oghttp` as the default HTTP/2 codec, and there are potential bugs around stream management in the codec. To r...

How severe is CVE-2024-45807?

CVE-2024-45807 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-45807?

Check the references section above for vendor advisories and patch information. Affected products include: Envoyproxy Envoy.