x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-25017 #2291

tatianab · 2023-11-08T22:08:16Z

CVE-2020-25017 references github.com/envoyproxy/envoy, which may be a Go module.

Description:
Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header.

References:

NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-25017
web: https://groups.google.com/forum/#!forum/envoy-security-announce
advisory: GHSA-2v25-cjjq-5f4w
Imported by: https://pkg.go.dev/github.com/envoyproxy/envoy?tab=importedby

Cross references:

Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43824 #330 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43825 #331 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43826 #332 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21654 #333 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21655 #334 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21656 #335 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21657 #336 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-23606 #337 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29224 #484 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29225 #485 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29226 #486 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29227 #487 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29228 #488 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27487 #1690 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27488 #1691 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27491 #1692 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27492 #1693 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27493 #1694 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27496 #1695 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35945 #1917 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: GHSA-2wmf-p7f8-w42h #1921 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35941 #1966 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35942 #1968 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35943 #1969 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35944 #1970 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-44487 #2106 NOT_GO_CODE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/envoyproxy/envoy
      vulnerable_at: 1.28.0
      packages:
        - package: n/a
cves:
    - CVE-2020-25017
references:
    - web: https://groups.google.com/forum/#!forum/envoy-security-announce
    - advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-2v25-cjjq-5f4w

The text was updated successfully, but these errors were encountered:

gopherbot · 2023-11-08T22:27:57Z

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports

tatianab added the excluded: LEGACY_FALSE_POSITIVE label Nov 8, 2023

gopherbot closed this as completed in 497caf9 Nov 8, 2023

This was referenced Apr 10, 2024

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-27919 #2710

Closed

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-30255 #2713

Closed

GoVulnBot mentioned this issue Apr 18, 2024

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-32475 #2735

Closed

GoVulnBot mentioned this issue Jul 1, 2024

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-39305 #2960

Closed

GoVulnBot mentioned this issue Mar 21, 2025

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: GHSA-cf3q-gqg7-3fm9 #3544

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-25017 #2291

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-25017 #2291

tatianab commented Nov 8, 2023

gopherbot commented Nov 8, 2023

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-25017 #2291

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-25017 #2291

Comments

tatianab commented Nov 8, 2023

gopherbot commented Nov 8, 2023