Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Envoy crashes when JWT authentication is configured with the remote JWKS fetching
Vulnerability Description
Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allow_missing_or_failed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails. This is caused by a re-entry bug in the JwksFetcherImpl. When the first token's JWKS fetch fails, onJwksError() callback triggers processing of the second token, which calls fetch() again on the same fetcher object. The original callback's reset() then clears the second fetch's state (receiver_ and request_) which causes a crash when the async HTTP response arrives.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
空指针解引用
Vulnerability Title
Envoy 代码问题漏洞
Vulnerability Description
Envoy是Enphase开源的一款用于连接智能家居设备的网关程序。 Envoy 1.33.12版本、1.34.10版本、1.35.6版本、1.36.2版本及之前版本存在代码问题漏洞,该漏洞源于JWT认证配置中存在重入错误,可能导致崩溃。
CVSS Information
N/A
Vulnerability Type
N/A