← back
CVE-2019-9900

CVE-2019-9900

CVSS 6.5 MEDIUMEPSS 3.7%
When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources.
CVSS:3.0/AC:H/AV:N/A:L/C:L/I:L/PR:N/S:C/UI:N
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://access.redhat.com/errata/RHSA-2019:0741https://github.com/envoyproxy/envoy/issues/6434https://github.com/envoyproxy/envoy/security/advisories/GHSA-x74r-f4mw-c32hhttps://groups.google.com/forum/#%21topic/envoy-announce/VoHfnDqZiAMhttps://www.envoyproxy.io/docs/envoy/v1.9.1/intro/version_history