Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Envoy Extension Policy lua scripts injection causes arbitrary command execution
Vulnerability Description
Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communicate with the control plane and gain access to all secrets that are used by Envoy proxy, e.g. TLS private keys and credentials used for downstream and upstream communication. This vulnerability is fixed in 1.5.7 and 1.6.2.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
Envoy Gateway 代码注入漏洞
Vulnerability Description
Envoy Gateway是Envoy Proxy开源的一个将 Envoy 代理作为独立或基于 Kubernetes 的应用程序网关。 Envoy Gateway 1.5.7之前版本和1.6.2之前版本存在代码注入漏洞,该漏洞源于EnvoyExtensionPolicy Lua脚本可能泄露代理凭据,进而可能导致攻击者访问控制平面并获取Envoy代理使用的所有密钥。
CVSS Information
N/A
Vulnerability Type
N/A