Home > Vulnerability Database > CVE-2024-27919

Mend.io Vulnerability Database

CVE-2024-27919

Good to know:

Date: April 4, 2024

Envoy is a cloud-native, open-source edge and service proxy. In versions 1.29.0 and 1.29.1, theEnvoy HTTP/2 protocol stack is vulnerable to the flood of CONTINUATION frames. Envoy's HTTP/2 codec does not reset a request when header map limits have been exceeded. This allows an attacker to send an sequence of CONTINUATION frames without the END_HEADERS bit set causing unlimited memory consumption. This can lead to denial of service through memory exhaustion. Users should upgrade to versions 1.29.2 to mitigate the effects of the CONTINUATION flood. Note that this vulnerability is a regression in Envoy version 1.29.0 and 1.29.1 only. As a workaround, downgrade to version 1.28.1 or earlier or disable HTTP/2 protocol for downstream connections.

Language: C++

Severity Score

7.5

Related Resources (6)

Url: http://www.openwall.com/lists/oss-security/2024/04/03/16

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-27919

Url: https://github.com/envoyproxy/envoy/security/advisories/GHSA-gghf-vfxp-799r

Url: http://www.openwall.com/lists/oss-security/2024/04/05/3

Url: https://github.com/envoyproxy/envoy/commit/57a02565532c18eb9df972a3e8974be3ae59f2d5

Url: https://www.mend.io/vulnerability-database/CVE-2024-27919

Severity Score

7.5

Weakness Type (CWE)

Detection of Error Condition Without Action

CWE-390

Top Fix

Upgrade Version

Upgrade to version v1.29.2

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-27919

Good to know:

Date: April 4, 2024

Language: C++

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?