How severe is CVE-2023-27493?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2023-27493?

This is classified as CWE-20, which is a common weakness in software security.

CVE-2023-27493 - CRITICAL Severity | CVSS 9.1

Vulnerability Description

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case, it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoy’s security policy. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. As a workaround, disable adding request headers based on the downstream request properties, such as downstream certificate properties.

Related Vulnerabilities

CVE-2015-1555

CRITICAL

CVSS:9.1(Critical)

Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3.x before 2.3.4 allows remote attackers to create valid sessions without using session validators.

CWE-202015

CVE-2016-10492

CRITICAL

CVSS:9.1(Critical)

In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9645, MDM9650, MSM8909W, SD 210/SD 212/S...

CWE-202016

CVE-2016-6445

CRITICAL

CVSS:9.1(Critical)

A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of the Cisco Meeting Server (CMS) before 2.0.6 and Acano Server before 1.8.18 and 1.9.x before 1.9.6 could allow an una...

CWE-202016

CVE-2017-14230

CRITICAL

CVSS:9.1(Critical)

In the mboxlist_do_find function in imap/mboxlist.c in Cyrus IMAP before 3.0.4, an off-by-one error in prefix calculation for the LIST command caused use of uninitialized memory, which might allow rem...

CWE-202017

CVE-2017-18648

CRITICAL

CVSS:9.1(Critical)

An issue was discovered on Samsung mobile devices with KK(4.4.x), L(5.x), M(6.x), and N(7.x) software. Arbitrary file read/write operations can occur in the locked state via a crafted MTP command. The...

CWE-202017

CVE-2017-2989

CRITICAL

CVSS:9.1(Critical)

Adobe Campaign versions Build 8770 and earlier have an input validation bypass that could be exploited to read, write, or delete data from the Campaign database.

CWE-202017