CVE-2022-21654

CRITICAL9.8EPSS 0.06%

Incorrect configuration handling allows TLS session re-use without re-validation in Envoy

發布日:2024/3/6修改日:2025/10/14

描述

Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade.

受影響套件(1)

Bitnami/envoy>= 1.7.0, < 1.18.6, >= 1.19.0, < 1.19.3, >= 1.20.0, < 1.20.2, >= 1.21.0, < 1.21.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(3)

WEBhttps://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353
WEBhttps://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2022-21654