Home > Vulnerability Database > CVE-2024-23324

Mend.io Vulnerability Database

CVE-2024-23324

Good to know:

Date: February 9, 2024

Envoy is a high-performance edge/middle/service proxy. External authentication can be bypassed by downstream connections. Downstream clients can force invalid gRPC requests to be sent to ext_authz, circumventing ext_authz checks when failure_mode_allow is set to true. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: C++

Severity Score

8.6

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-23324

Url: https://github.com/envoyproxy/envoy/commit/29989f6cc8bfd8cd2ffcb7c42711eb02c7a5168a

Url: https://github.com/envoyproxy/envoy/security/advisories/GHSA-gq3v-vvhj-96j6

Url: https://www.mend.io/vulnerability-database/CVE-2024-23324

Severity Score

8.6

Weakness Type (CWE)

Input Validation

CWE-20

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version v1.26.7,v1.27.3,v1.28.1,v1.29.1

Learn More

CVSS v3.1

Base Score:	8.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-23324

Good to know:

Date: February 9, 2024

Language: C++

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?