Envoy
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*
- < 1.37.1
- < 1.36.5
- < 1.35.9
- < 1.34.13
A vulnerability exists in Envoy versions prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, due to an off-by-one write error in the JsonEscaper::escapeString() function. This flaw can corrupt the null-termination of std::string objects, leading to undefined behavior. When the altered string is processed as a C-string, it can cause crashes or out-of-bounds reads. The issue arises in the control-character escaping path, where improper handling of certain characters can violate string bounds, potentially allowing exploitation through request-driven paths that escape untrusted data.
Exploitation of this vulnerability can lead to undefined behavior, including crashes or out-of-bounds reads, when the manipulated string is treated as a C-string.
The vulnerability can be reproduced by compiling a C++ program with AddressSanitizer enabled, which will catch memory errors. The program should create a string that includes a control character, such as the character with the hexadecimal value 0x01, which is known to trigger the off-by-one write error. After the string is processed by the escapeString function, the output can be checked for proper null-termination. If the termination is corrupted, it can be demonstrated that the string can be misused in a way that leads to a memory error, such as reading past the end of the string.
Users can upgrade to Envoy versions 1.37.1, 1.36.5, 1.35.8, or 1.34.13 to address this vulnerability.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.