CVE-2024-45807

HIGH7.5EPSS 0.10%

oghttp2 crash on OnBeginHeadersForStream in envoy

發布日:2024/9/21修改日:2025/5/20

也稱為:GHSA-qc52-r4x5-9w37BIT-envoy-2024-45807

描述

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's 1.31 is using `oghttp` as the default HTTP/2 codec, and there are potential bugs around stream management in the codec. To resolve this Envoy will switch off the `oghttp2` by default. The impact of this issue is that envoy will crash. This issue has been addressed in release version 1.31.2. All users are advised to upgrade. There are no known workarounds for this issue.

受影響套件(1)

Bitnami/envoy>= 1.31.0, < 1.31.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

參考連結(2)

WEBhttps://github.com/envoyproxy/envoy/security/advisories/GHSA-qc52-r4x5-9w37
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2024-45807