Bug 2300352 (CVE-2024-7207) - CVE-2024-7207 envoy: Server-side request forgery via HTTP header manipulation Key Information: Bug ID: 2300352 CVE ID: CVE-2024-7207 Product: Security Response Component: vulnerability Version: unspecified Severity: high Status: NEW Reported: 2024-07-29 13:16 UTC by Mauro Matteo Cascella Modified: 2024-09-19 21:50 UTC Assignee: Product Security DevOps Team Description: - A flaw was found in Envoy. It is possible to modify or manipulate headers from external clients when pass-through routes are used for the ingress gateway. A malicious user could use this flaw to forge what is logged by Envoy as a requested path, as well as cause the Envoy proxy to make requests to internal-only services or potentially arbitrary external systems. This is a regression of the fix for CVE-2023-27487. Additional Details: Keywords: Security CC List: 8 users Fixed In Version: Not specified Doc Type: If docs needed, set a value Doc Text: Detailed description of the flaw and its impact. Target Milestone: Not specified Environment: Not specified Last Closed: Not specified Embargo: Not specified Attachments: Description: Detailed description of the flaw and its impact. Note: You need to log in before you can comment on or make changes to this bug.