x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27493

[GoVulnBot]

CVE-2023-27493 references github.com/envoyproxy/envoy, which may be a Go module.

Description:
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case, it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoy’s security policy. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. As a workaround, disable adding request headers based on the downstream request properties, such as downstream certificate properties.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-27493
• JSON: https://github.com/CVEProject/cvelist/tree/4f8acaad3b5f0a9173d95017a0a8d6314ac83f36/2023/27xxx/CVE-2023-27493.json
• advisory: GHSA-w5w5-487h-qv8q
• Imported by: https://pkg.go.dev/github.com/envoyproxy/envoy?tab=importedby

Cross references:

• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43824 #330 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43825 #331 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43826 #332 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21654 #333 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21655 #334 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21656 #335 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21657 #336 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-23606 #337 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29224 #484 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29225 #485 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29226 #486 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29227 #487 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29228 #488 NOT_GO_CODE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/envoyproxy/envoy
    packages:
      - package: envoy
description: |
    Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case, it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoy’s security policy. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. As a workaround, disable adding request headers based on the downstream request properties, such as downstream certificate properties.
cves:
  - CVE-2023-27493
references:
  - advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-w5w5-487h-qv8q

[gopherbot]

Change https://go.dev/cl/482615 mentions this issue: data/excluded: batch add GO-2023-1701, GO-2023-1700, GO-2023-1699, GO-2023-1687, GO-2023-1685, GO-2023-1695, GO-2023-1694, GO-2023-1693, GO-2023-1692, GO-2023-1691, GO-2023-1690