CVE-2020-25017

HIGH8.3EPSS 0.05%

Published: 3/6/2024Modified: 3/13/2026

Also known as:BIT-envoy-2020-25017

Description

Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header.

Affected packages (1)

Bitnami/envoyfrom 0, < 1.12.7, >= 1.13.0, < 1.13.4, >= 1.14.0, < 1.14.4, >= 1.15.0, < 1.15.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

References (3)

WEBhttps://github.com/envoyproxy/envoy/security/advisories/GHSA-2v25-cjjq-5f4w
WEBhttps://groups.google.com/forum/#%21forum/envoy-security-announce
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2020-25017