How severe is CVE-2024-23326?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.2 out of 10.

What type of vulnerability is CVE-2024-23326?

This is classified as CWE-391, which is a common weakness in software security.

CVE-2024-23326 - HIGH Severity | CVSS 8.2

Vulnerability Description

Envoy is a cloud-native, open source edge and service proxy. A theoretical request smuggling vulnerability exists through Envoy if a server can be tricked into adding an upgrade header into a response. Per RFC https://www.rfc-editor.org/rfc/rfc7230#section-6.7 a server sends 101 when switching protocols. Envoy incorrectly accepts a 200 response from a server when requesting a protocol upgrade, but 200 does not indicate protocol switch. This opens up the possibility of request smuggling through Envoy if the server can be tricked into adding the upgrade header to the response.

Related Vulnerabilities

CVE-2016-10526

HIGH

CVSS:8.6(High)

A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion ...

CWE-3912016

CVE-2017-7496

HIGH

CVSS:7.0(High)

fedora-arm-installer up to and including 1.99.16 is vulnerable to local privilege escalation due to lack of checking the error condition of mount operation failure on unsafely created temporary direct...

CWE-3912017

CVE-2017-12176

CRITICAL

CVSS:9.8(Critical)

xorg-x11-server before 1.19.5 was missing extra length validation in ProcEstablishConnection function allowing malicious X client to cause X server to crash or possibly execute arbitrary code.

CWE-3912017

CVE-2017-12177

CRITICAL

CVSS:9.8(Critical)

xorg-x11-server before 1.19.5 was vulnerable to integer overflow in ProcDbeGetVisualInfo function allowing malicious X client to cause X server to crash or possibly execute arbitrary code.

CWE-3912017

CVE-2017-12178

CRITICAL

CVSS:9.8(Critical)

xorg-x11-server before 1.19.5 had wrong extra length check in ProcXIChangeHierarchy function allowing malicious X client to cause X server to crash or possibly execute arbitrary code.

CWE-3912017

CVE-2017-12179

CRITICAL

CVSS:9.8(Critical)

xorg-x11-server before 1.19.5 was vulnerable to integer overflow in (S)ProcXIBarrierReleasePointer functions allowing malicious X client to cause X server to crash or possibly execute arbitrary code.

CWE-3912017