Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Envoy vulnerable to OAuth2 credentials exploit with permanent validity
Vulnerability Description
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios in which HMAC payload can be always valid in OAuth2 filter's check. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, avoid wildcards/prefix domain wildcards in the host's domain configuration.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Vulnerability Type
对输出编码和转义不恰当
Vulnerability Title
Envoy 安全漏洞
Vulnerability Description
Envoy是一款开源的分布式代理服务器。 Envoy存在安全漏洞,该漏洞源于恶意客户端能够在某些特定场景中构造永久有效的凭据。
CVSS Information
N/A
Vulnerability Type
N/A