{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-53271", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-11-19T20:08:14.482Z", "datePublished": "2024-12-18T19:12:20.612Z", "dateUpdated": "2024-12-18T21:34:22.425Z"}, "containers": {"cna": {"title": "HTTP/1.1 multiple issues with envoy.reloadable_features.http1_balsa_delay_reset in envoy", "problemTypes": [{"descriptions": [{"cweId": "CWE-670", "lang": "en", "description": "CWE-670: Always-Incorrect Control Flow Implementation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rmm5-h2wv-mg4f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rmm5-h2wv-mg4f"}, {"name": "https://github.com/envoyproxy/envoy/commit/da56f6da63079baecef9183436ee5f4141a59af8", "tags": ["x_refsource_MISC"], "url": "https://github.com/envoyproxy/envoy/commit/da56f6da63079baecef9183436ee5f4141a59af8"}], "affected": [{"vendor": "envoyproxy", "product": "envoy", "versions": [{"version": ">= 1.31.0, < 1.31.5", "status": "affected"}, {"version": ">= 1.32.0, < 1.32.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-18T19:12:20.612Z"}, "descriptions": [{"lang": "en", "value": "Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions envoy does not properly handle http 1.1 non-101 1xx responses. This can lead to downstream failures in networked devices. This issue has been addressed in versions 1.31.5 and 1.32.3. Users are advised to upgrade. There are no known workarounds for this issue."}], "source": {"advisory": "GHSA-rmm5-h2wv-mg4f", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rmm5-h2wv-mg4f", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-18T21:32:16.518571Z", "id": "CVE-2024-53271", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-18T21:34:22.425Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-53271", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-18T21:32:16.518571Z"}}}], "references": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rmm5-h2wv-mg4f", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-18T21:32:43.362Z"}}], "cna": {"title": "HTTP/1.1 multiple issues with envoy.reloadable_features.http1_balsa_delay_reset in envoy", "source": {"advisory": "GHSA-rmm5-h2wv-mg4f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "envoyproxy", "product": "envoy", "versions": [{"status": "affected", "version": ">= 1.31.0, < 1.31.5"}, {"status": "affected", "version": ">= 1.32.0, < 1.32.3"}]}], "references": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rmm5-h2wv-mg4f", "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rmm5-h2wv-mg4f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/envoyproxy/envoy/commit/da56f6da63079baecef9183436ee5f4141a59af8", "name": "https://github.com/envoyproxy/envoy/commit/da56f6da63079baecef9183436ee5f4141a59af8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions envoy does not properly handle http 1.1 non-101 1xx responses. This can lead to downstream failures in networked devices. This issue has been addressed in versions 1.31.5 and 1.32.3. Users are advised to upgrade. There are no known workarounds for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-670", "description": "CWE-670: Always-Incorrect Control Flow Implementation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-18T19:12:20.612Z"}}}, "cveMetadata": {"cveId": "CVE-2024-53271", "state": "PUBLISHED", "dateUpdated": "2024-12-18T21:34:22.425Z", "dateReserved": "2024-11-19T20:08:14.482Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-12-18T19:12:20.612Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions envoy does not properly handle http 1.1 non-101 1xx responses. This can lead to downstream failures in networked devices. This issue has been addressed in versions 1.31.5 and 1.32.3. Users are advised to upgrade. There are no known workarounds for this issue."}], "id": "CVE-2024-53271", "lastModified": "2024-12-18T22:15:07.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-12-18T20:15:24.433", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/envoyproxy/envoy/commit/da56f6da63079baecef9183436ee5f4141a59af8"}, {"source": "security-advisories@github.com", "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rmm5-h2wv-mg4f"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rmm5-h2wv-mg4f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-670"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "envoy: HTTP/1.1 multiple issues with envoy.reloadable_features.http1_balsa_delay_reset in envoy", "id": "2333078", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333078"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "status": "draft"}, "cwe": "CWE-670", "details": ["Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions envoy does not properly handle http 1.1 non-101 1xx responses. This can lead to downstream failures in networked devices. This issue has been addressed in versions 1.31.5 and 1.32.3. Users are advised to upgrade. There are no known workarounds for this issue.", "A flaw was found in Envoy. In affected versions, Envoy does not properly handle certain HTTP 1.1 responses. Specially-crafted requests may trigger failures or application crashes in networked devices, leading to a denial of service."], "name": "CVE-2024-53271", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/istio-cni-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-service-mesh/pilot-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-service-mesh/proxyv2-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-service-mesh/proxyv2-rhel9", "product_name": "OpenShift Service Mesh 2"}], "public_date": "2024-12-18T19:12:20Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-53271\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-53271\nhttps://github.com/envoyproxy/envoy/commit/da56f6da63079baecef9183436ee5f4141a59af8\nhttps://github.com/envoyproxy/envoy/security/advisories/GHSA-rmm5-h2wv-mg4f"], "statement": "This vulnerability is rated Important due to Envoy's improper handling of HTTP 1.1 non-101 1xx responses, potentially leading to downstream failures in networked devices, this issue can disrupt service communication, requiring prompt attention and resolution to maintain network stability.", "threat_severity": "Important"}