漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Envoy incorrectly accepts HTTP 200 response for entering upgrade mode
Vulnerability Description
Envoy is a cloud-native, open source edge and service proxy. A theoretical request smuggling vulnerability exists through Envoy if a server can be tricked into adding an upgrade header into a response. Per RFC https://www.rfc-editor.org/rfc/rfc7230#section-6.7 a server sends 101 when switching protocols. Envoy incorrectly accepts a 200 response from a server when requesting a protocol upgrade, but 200 does not indicate protocol switch. This opens up the possibility of request smuggling through Envoy if the server can be tricked into adding the upgrade header to the response.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
未经检查的错误条件
Vulnerability Title
Envoy 安全漏洞
Vulnerability Description
Envoy是一款开源的分布式代理服务器。 Envoy 1.30.2之前版本存在安全漏洞,该漏洞源于可以诱骗服务器将升级标头添加到响应中,从而导致发生请求走私。
CVSS Information
N/A
Vulnerability Type
N/A