### Bug 2300352 (CVE-2024-7207) - CVE-2024-7207 envoy: Server-side request forgery via HTTP header manipulation #### Key Information: - **Bug ID**: 2300352 - **CVE ID**: CVE-2024-7207 - **Product**: Security Response - **Component**: vulnerability - **Version**: unspecified - **Severity**: high - **Status**: NEW - **Reported**: 2024-07-29 13:16 UTC by Mauro Matteo Cascella - **Modified**: 2024-09-19 21:50 UTC - **Assignee**: Product Security DevOps Team - **Description**: - A flaw was found in Envoy. It is possible to modify or manipulate headers from external clients when pass-through routes are used for the ingress gateway. A malicious user could use this flaw to forge what is logged by Envoy as a requested path, as well as cause the Envoy proxy to make requests to internal-only services or potentially arbitrary external systems. This is a regression of the fix for CVE-2023-27487. #### Additional Details: - **Keywords**: Security - **CC List**: 8 users - **Fixed In Version**: Not specified - **Doc Type**: If docs needed, set a value - **Doc Text**: Detailed description of the flaw and its impact. - **Target Milestone**: Not specified - **Environment**: Not specified - **Last Closed**: Not specified - **Embargo**: Not specified #### Attachments: - **Description**: Detailed description of the flaw and its impact. #### Note: - You need to log in before you can comment on or make changes to this bug.