x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35942 #1968

GoVulnBot · 2023-07-25T20:01:31Z

CVE-2023-35942 references github.com/envoyproxy/envoy, which may be a Go module.

Description:
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, gRPC access loggers using listener's global scope can cause a use-after-free crash when the listener is drained. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, disable gRPC access log or stop listener update.

References:

Cross references:

Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43824 #330 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43825 #331 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43826 #332 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21654 #333 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21655 #334 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21656 #335 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21657 #336 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-23606 #337 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29224 #484 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29225 #485 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29226 #486 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29227 #487 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29228 #488 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27487 #1690 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27488 #1691 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27491 #1692 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27492 #1693 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27493 #1694 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27496 #1695 NOT_GO_CODE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/envoyproxy/envoy
      vulnerable_at: 1.26.3
      packages:
        - package: envoy
description: |-
    Envoy is an open source edge and service proxy designed for cloud-native
    applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12,
    gRPC access loggers using listener's global scope can cause a `use-after-free`
    crash when the listener is drained. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10,
    and 1.23.12 have a fix for this issue. As a workaround, disable gRPC access log
    or stop listener update.
cves:
    - CVE-2023-35942
references:
    - advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-69vr-g55c-v2v4

The text was updated successfully, but these errors were encountered:

gopherbot · 2023-07-31T20:51:06Z

Change https://go.dev/cl/514636 mentions this issue: data/excluded: batch add 31 excluded reports

neild added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Jul 31, 2023

neild self-assigned this Jul 31, 2023

gopherbot closed this as completed in 2439098 Jul 31, 2023

GoVulnBot mentioned this issue Oct 10, 2023

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-44487 #2106

Closed

GoVulnBot mentioned this issue Apr 10, 2024

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-27919 #2710

Closed

GoVulnBot mentioned this issue Apr 10, 2024

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-30255 #2713

Closed

GoVulnBot mentioned this issue Apr 18, 2024

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-32475 #2735

Closed

GoVulnBot mentioned this issue Jul 1, 2024

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-39305 #2960

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35942 #1968

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35942 #1968

GoVulnBot commented Jul 25, 2023

gopherbot commented Jul 31, 2023

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35942 #1968

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35942 #1968

Comments

GoVulnBot commented Jul 25, 2023

gopherbot commented Jul 31, 2023