Nixpkgs security tracker
6.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV):
- Attack complexity (AC):
- Privileges required (PR):
- User interaction (UI):
- Scope (S):
- Confidentiality impact (C):
- Integrity impact (I):
- Availability impact (A):
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
ignored
11 packages
- opa-envoy-plugin
- python312Packages.envoy-utils
- python313Packages.envoy-utils
- python314Packages.envoy-utils
- python312Packages.envoy-reader
- python313Packages.envoy-reader
- python314Packages.envoy-reader
- python313Packages.envoy-data-plane
- python314Packages.envoy-data-plane
- home-assistant-component-tests.enphase_envoy
- tests.home-assistant-components.enphase_envoy
- @LeSuisse ignored
- @LeSuisse accepted
- @LeSuisse published on GitHub
Envoy Query Parameter header_mutation.cc params.add injection
A weakness has been identified in Envoy up to 1.33.0. Affected is the function params.add of the file source/extensions/filters/http/header_mutation/header_mutation.cc of the component Query Parameter Handler. This manipulation causes injection. Remote exploitation of the attack is possible. Patch name: f8f4f1e02fdc64ecd4acf2d903208dd7285ad3a4. It is suggested to install a patch to address this issue.
References
Ignored references (4)
-
Submit #797241 | Envoy >= 1.33.0 Injection (CWE-74) third-party-advisory
-
-
VDB-359546 | Envoy Query Parameter header_mutation.cc params.add injection vdb-entrytechnical-description
Affected products
- ==1.0
- ==1.28
- ==1.32
- ==1.22
- ==1.26
- ==1.17
- ==1.24
- ==1.18
- ==1.21
- ==1.6
- ==1.16
- ==1.20
- ==1.12
- ==1.30
- ==1.3
- ==1.11
- ==1.1
- ==1.10
- ==1.29
- ==1.4
- ==1.15
- ==1.9
- ==1.19
- ==1.23
- ==1.33.0
- ==1.27
- ==1.7
- ==1.5
- ==1.8
- ==1.2
- ==1.25
- ==1.13
- ==1.31
- ==1.14
Matching in nixpkgs
pkgs.envoy
Cloud-native edge and service proxy
Ignored packages (11)
pkgs.opa-envoy-plugin
Plugin to enforce OPA policies with Envoy
-
nixos-unstable 1.13.2-envoy-2
- nixpkgs-unstable 1.13.2-envoy-2
- nixos-unstable-small 1.13.2-envoy-2
-
nixos-25.11 1.10.0-envoy
- nixos-25.11-small 1.10.0-envoy
- nixpkgs-25.11-darwin 1.10.0-envoy
pkgs.python312Packages.envoy-utils
Python utilities for the Enphase Envoy
pkgs.python313Packages.envoy-utils
Python utilities for the Enphase Envoy
pkgs.python314Packages.envoy-utils
Python utilities for the Enphase Envoy
pkgs.python312Packages.envoy-reader
Python module to read from Enphase Envoy units
pkgs.python313Packages.envoy-reader
Python module to read from Enphase Envoy units
pkgs.python314Packages.envoy-reader
Python module to read from Enphase Envoy units
pkgs.python313Packages.envoy-data-plane
Python dataclasses for the Envoy Data-Plane-API
pkgs.python314Packages.envoy-data-plane
Python dataclasses for the Envoy Data-Plane-API
pkgs.home-assistant-component-tests.enphase_envoy
Open source home automation that puts local control and privacy first
pkgs.tests.home-assistant-components.enphase_envoy
Open source home automation that puts local control and privacy first
Package maintainers
-
@lukegb Luke Granger-Brown <nix@lukegb.com>
-
@katexochen Paul Meyer <katexochen0@gmail.com>