Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

envoy — Vulnerabilities & Security Advisories 92

All 92 CVE vulnerabilities found in envoy, with AI-generated Chinese analysis, references, and POCs.

This page documents vulnerability aggregations for the Envoy proxy platform, specifically focusing on Common Weakness Enumeration classifications and associated security tags. It compiles a comprehensive collection of identified security flaws affecting the product, covering historical data from its initial releases through to the most recent patches released in the current year. Visitors to this resource can effectively track vendor security advisories to stay informed about critical updates, gain a deeper understanding of specific weakness classes prevalent in the codebase, and look up the product’s complete vulnerability history to assess long-term risk trends. The data includes various types of issues ranging from memory safety errors to configuration vulnerabilities that may impact service availability or confidentiality. By centralizing these findings, the page serves as a reference for security professionals and developers seeking to understand the threat landscape surrounding the Envoy service mesh component. Users can correlate reported weaknesses with specific versions and understand the remediation efforts applied by the maintainers over time. This structured approach allows for better risk assessment and prioritization of security hygiene tasks within infrastructure managed by this popular open-source proxy. The aggregation ensures that stakeholders have a clear view of the security posture without needing to search through disparate sources.

Vendor: envoyproxy

CVE IDTitleCVSSSeverityPublished
CVE-2023-35943 Envoy vulnerable to CORS filter segfault when origin header is removed CWE-416 6.3 Medium2023-07-25
CVE-2023-35942 Envoy's gRPC access log crash caused by the listener draining CWE-416 6.5 Medium2023-07-25
CVE-2023-35941 Envoy vulnerable to OAuth2 credentials exploit with permanent validity CWE-116 8.6 High2023-07-25
CVE-2023-35945 Envoy vulnerable to HTTP/2 memory leak in nghttp2 codec CWE-400 7.5 High2023-07-13
CVE-2023-33869 Enphase Envoy OS Command Injection CWE-78 6.3 Medium2023-06-20
CVE-2023-27496 Envoy may crash when a redirect url without a state param is received in the oauth filter CWE-20 6.5 Medium2023-04-04
CVE-2023-27493 Envoy doesn't escape HTTP header values CWE-20 8.1 High2023-04-04
CVE-2023-27492 Envoy may crash when a large request body is processed in Lua filter CWE-770 4.8 Medium2023-04-04
CVE-2023-27491 Envoy forwards invalid Http2/Http3 downstream headers CWE-20 5.4 Medium2023-04-04
CVE-2023-27488 Envoy gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received. CWE-20 5.4 Medium2023-04-04
CVE-2023-27487 Envoy client may fake the header `x-envoy-original-path` CWE-20 8.2 High2023-04-04
CVE-2022-29227 Use after free in Envoy CWE-416 7.5 High2022-06-09
CVE-2022-29226 Trivial authentication bypass in Envoy CWE-306 10.0 Critical2022-06-09
CVE-2022-29228 Reachable assertion in Envoy CWE-617 7.5 High2022-06-09
CVE-2022-29225 Zip bomb vulnerability in Envoy CWE-400 7.5 High2022-06-09
CVE-2022-29224 Segmentation fault leading to crash in Envoy CWE-476 5.9 Medium2022-06-09
CVE-2021-43826 Crash when tunneling TCP over HTTP in Envoy CWE-416 7.5 High2022-02-22
CVE-2021-43825 Use-after-free in Envoy CWE-416 6.1 Medium2022-02-22
CVE-2022-21655 Incorrect handling of internal redirects results in crash in Envoy CWE-670 7.5 High2022-02-22
CVE-2022-21654 Incorrect configuration handling allows TLS session re-use without re-validation in Envoy CWE-295 7.4 High2022-02-22
CVE-2022-21657 X.509 Extended Key Usage and Trust Purposes bypass in Envoy CWE-295 6.8 Medium2022-02-22
CVE-2022-21656 X.509 subjectAltName matching bypass in Envoy CWE-295 7.4 High2022-02-22
CVE-2022-23606 Crash when a cluster is deleted in Envoy CWE-674 4.4 Medium2022-02-22
CVE-2021-43824 Null pointer dereference in envoy CWE-476 7.5 High2022-02-22
CVE-2021-32780 Incorrect handling of H/2 GOAWAY followed by SETTINGS frames CWE-754 8.6 High2021-08-24
CVE-2021-32781 Continued processing of requests after locally generated response CWE-416 8.6 High2021-08-24
CVE-2021-32779 Incorrectly handling of URI '#fragment' element as part of the path element CWE-551 8.6 High2021-08-24
CVE-2021-32778 Excessive CPU utilization when closing HTTP/2 streams CWE-834 5.8 Medium2021-08-24
CVE-2021-32777 Incorrect concatenation of multiple value request headers in ext-authz extension CWE-551 8.6 High2021-08-24
CVE-2021-29492 Bypass of path matching rules using escaped slash characters CWE-22 8.1 High2021-05-28

All 92 known CVE vulnerabilities affecting envoy with full Chinese analysis, references, and POCs where available.