Home > Vulnerability Database > CVE-2024-45810

Mend.io Vulnerability Database

CVE-2024-45810

Good to know:

Date: September 19, 2024

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy will crash when the http async client is handling "sendLocalReply" under some circumstance, e.g., websocket upgrade, and requests mirroring. The http async client will crash during the "sendLocalReply()" in http async client, one reason is http async client is duplicating the status code, another one is the destroy of router is called at the destructor of the async stream, while the stream is deferred deleted at first. There will be problems that the stream decoder is destroyed but its reference is called in "router.onDestroy()", causing segment fault. This will impact ext_authz if the "upgrade" and "connection" header are allowed, and request mirrorring. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: Perl

Severity Score

6.5

Related Resources (3)

Url: https://github.com/envoyproxy/envoy/security/advisories/GHSA-qm74-x36m-555q

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-45810

Url: https://www.mend.io/vulnerability-database/CVE-2024-45810

Severity Score

6.5

Weakness Type (CWE)

Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-119

Top Fix

Upgrade Version

Upgrade to version envoy-mobile-sys - no_fix

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-45810

Good to know:

Date: September 19, 2024

Language: Perl

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?