When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources.

Published : 2019-04-25 15:29 Updated : 2019-10-09 23:53

CVSS Score More info
Score 7.5 / 10
Vendor Product Version URI
Envoyproxy Envoy 1.9.0 cpe:/a:envoyproxy:envoy:1.9.0
  1. Envoyproxy (1) Search CVE
    1. Envoy (1) Search CVE
      1. 1.9.0


ID Name Description Links
CWE-20 Improper Input Validation The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program. CVE

History of changes