Login Sign Up

CVE-2023-27493

8.1 HIGH
Authentication Bypass

📋 TL;DR

Envoy proxy versions before 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 fail to properly sanitize request properties when generating headers, allowing injection of illegal characters. This can cause upstream services to misinterpret requests as multiple pipelined requests, potentially bypassing security policies. Affects all Envoy deployments using request header generation from downstream properties.

💻 Affected Systems

Products:
  • Envoy Proxy
Versions: All versions before 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects configurations where request headers are generated from downstream request properties (e.g., downstream certificate properties).

📦 What is this software?

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Upstream service interprets single request as two pipelined requests, bypassing Envoy's security policies and potentially enabling privilege escalation or data exfiltration.

🟠

Likely Case

Header corruption causing upstream service errors, request failures, or inconsistent application behavior.

🟢

If Mitigated

Minimal impact with proper input validation at upstream services, though still violates HTTP protocol specifications.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires specific header generation configurations and upstream service vulnerability to header injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.26.0, 1.25.3, 1.24.4, 1.23.6, or 1.22.9

Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-w5w5-487h-qv8q

Restart Required: Yes

Instructions:

1. Identify current Envoy version. 2. Upgrade to patched version matching your release line. 3. Restart Envoy service. 4. Verify version and functionality.

🔧 Temporary Workarounds

Disable downstream property header generation

all

Prevent Envoy from adding request headers based on downstream request properties like certificate properties.

Modify Envoy configuration to remove or disable header generation from downstream properties

🧯 If You Can't Patch

  • Implement strict input validation at upstream services to reject malformed headers
  • Use network segmentation to isolate vulnerable Envoy instances from critical upstream services

🔍 How to Verify

Check if Vulnerable:

Check Envoy version and configuration for header generation from downstream properties

Check Version:

envoy --version

Verify Fix Applied:

Confirm Envoy version is 1.26.0, 1.25.3, 1.24.4, 1.23.6, or 1.22.9 and test header generation functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual upstream service errors related to header parsing
  • HTTP protocol violations in logs

Network Indicators:

  • Malformed HTTP headers in traffic between Envoy and upstream services

SIEM Query:

source="envoy" AND (error OR "header" OR "malformed")

📊 Metadata

CVE ID: CVE-2023-27493
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-20
Published: April 4, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27493, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)