GCP-2024-032

Google Cloud Platform Security Advisory

Published: 2024-06-04

Description

DescriptionSeverityNotes

The following CVEs expose Cloud Service Mesh to exploitable vulnerabilities:

  • CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode.
  • CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete().
  • CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length().
  • CVE-2024-32976: Endless loop while decompressing Brotli data with extra input.
  • CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream.
  • CVE-2024-34363: Crash due to uncaught nlohmann JSON exception.
  • CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response.

For instructions and more details, see the Cloud Service Mesh security bulletin.

High

CLICK FOR MORE INFORMATION

Leave a Reply

Your email address will not be published. Required fields are marked *