Malicious log injection via access logs in envoy

Envoy is a cloud-native high-performance edge/middle/service proxy. A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs. This is achieved by exploiting the lack of validation for the `REQUESTED_SERVER_NAME` field for access loggers. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

日志输出的转义处理不恰当

Envoy 安全漏洞

Envoy是Enphase开源的一款用于连接智能家居设备的网关程序。 Envoy 1.32.0版本存在安全漏洞，该漏洞源于允许攻击者通过利用对REQUESTED_SERVER_NAME字段的验证不足，向访问日志中注入意外内容。

N/A

N/A