VDB
CVE-2019-18838
CVE-2019-18838
PUBLISHED
CVSS 5 MEDIUM
An issue was discovered in Envoy 1.12.0. Upon receipt of a malformed HTTP request without a Host header, it sends an internally generated "Invalid request" response. This internally generated response is dispatched through the configured encoder filter chain before being sent to the client. An encoder filter that invokes route manager APIs that access a request's Host header causes a NULL pointer dereference, resulting in abnormal termination of the Envoy process.
EPSS 0.10% · 27.2th percentile
Risk Scores
CVSS 2.0
5
EPSS Score
0.10%
27.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a |
| envoyproxy | envoy | 0 |
Exploit Intelligence
Timeline
- Dec 10, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
References
- https://access.redhat.com/errata/RHSA-2019:4222 advisory
- https://access.redhat.com/errata/RHSA-2019:4168 advisory
- https://github.com/envoyproxy/envoy/commits/master url
- https://groups.google.com/forum/#%21forum/envoy-users url
- https://blog.envoyproxy.io url
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-f2rv-4w6x-rwhc url
- https://nvd.nist.gov/vuln/detail/CVE-2019-18838 advisory
- https://groups.google.com/forum/#!forum/envoy-users url