Nixpkgs security tracker
6.3 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): Low (L)
- Exploit Code Maturity (E): Not Defined (X)
- Remediation Level (RL): Official Fix (O)
- Report Confidence (RC): Confirmed (C)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): Low (L)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
11 packages
- opa-envoy-plugin
- python312Packages.envoy-utils
- python313Packages.envoy-utils
- python314Packages.envoy-utils
- python312Packages.envoy-reader
- python313Packages.envoy-reader
- python314Packages.envoy-reader
- python313Packages.envoy-data-plane
- python314Packages.envoy-data-plane
- home-assistant-component-tests.enphase_envoy
- tests.home-assistant-components.enphase_envoy
- @LeSuisse accepted
- @LeSuisse published on GitHub
Envoy Query Parameter header_mutation.cc params.add injection
A weakness has been identified in Envoy up to 1.33.0. Affected is the function params.add of the file source/extensions/filters/http/header_mutation/header_mutation.cc of the component Query Parameter Handler. This manipulation causes injection. Remote exploitation of the attack is possible. Patch name: f8f4f1e02fdc64ecd4acf2d903208dd7285ad3a4. It is suggested to install a patch to address this issue.
References
Ignored references (4)
-
VDB-359546 | Envoy Query Parameter header_mutation.cc params.add injection technical-descriptionvdb-entry
-
-
Submit #797241 | Envoy >= 1.33.0 Injection (CWE-74) third-party-advisory
Affected products
- ==1.14
- ==1.0
- ==1.20
- ==1.16
- ==1.27
- ==1.31
- ==1.23
- ==1.29
- ==1.25
- ==1.28
- ==1.12
- ==1.22
- ==1.3
- ==1.9
- ==1.10
- ==1.17
- ==1.33.0
- ==1.2
- ==1.8
- ==1.15
- ==1.6
- ==1.19
- ==1.32
- ==1.21
- ==1.18
- ==1.11
- ==1.7
- ==1.5
- ==1.13
- ==1.4
- ==1.30
- ==1.24
- ==1.26
- ==1.1
Matching in nixpkgs
Ignored packages (11)
pkgs.opa-envoy-plugin
Plugin to enforce OPA policies with Envoy
-
nixos-unstable 1.13.2-envoy-2
- nixpkgs-unstable 1.13.2-envoy-2
- nixos-unstable-small 1.13.2-envoy-2
pkgs.python312Packages.envoy-utils
None
pkgs.python313Packages.envoy-utils
Python utilities for the Enphase Envoy
pkgs.python314Packages.envoy-utils
Python utilities for the Enphase Envoy
pkgs.python312Packages.envoy-reader
None
pkgs.python313Packages.envoy-reader
Python module to read from Enphase Envoy units
pkgs.python314Packages.envoy-reader
Python module to read from Enphase Envoy units
pkgs.python313Packages.envoy-data-plane
Python dataclasses for the Envoy Data-Plane-API
pkgs.python314Packages.envoy-data-plane
Python dataclasses for the Envoy Data-Plane-API
pkgs.tests.home-assistant-components.enphase_envoy
Open source home automation that puts local control and privacy first
Package maintainers
-
@lukegb Luke Granger-Brown <nix@lukegb.com>
-
@charludo Charlotte Harludo <github@charlotteharludo.com>