CVE-2021-28682

CVE-2021-28682

Name

CVE-2021-28682

Description

An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable integer overflow in which a very large grpc-timeout value leads to unexpected timeout calculations.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/envoyproxy/envoy/blob/15e3b9dbcc9aaa9d391fa8033904aad1ea1ae70d/api/envoy/api/v2/cluster.proto#L36
MISC	https://github.com/envoyproxy/envoy/releases
MISC	https://blog.envoyproxy.io
Third Party Advisory	https://github.com/envoyproxy/envoy/security/advisories/GHSA-r22g-5f3x-xjgg

Type

URI

MISC

https://github.com/envoyproxy/envoy/blob/15e3b9dbcc9aaa9d391fa8033904aad1ea1ae70d/api/envoy/api/v2/cluster.proto#L36

MISC

https://github.com/envoyproxy/envoy/releases

MISC

https://blog.envoyproxy.io

Third Party Advisory

https://github.com/envoyproxy/envoy/security/advisories/GHSA-r22g-5f3x-xjgg

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:envoyproxy:envoy:1.14.6:::::::*`	envoy	== None	== 1.14.6
`cpe:2.3:a:envoyproxy:envoy:1.15.3:::::::*`	envoy	== None	== 1.15.3
`cpe:2.3:a:envoyproxy:envoy:1.16.2:::::::*`	envoy	== None	== 1.16.2
`cpe:2.3:a:envoyproxy:envoy:1.17.1:::::::*`	envoy	== None	== 1.17.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:envoyproxy:envoy:1.14.6:*:*:*:*:*:*:*

envoy

== None

== 1.14.6

cpe:2.3:a:envoyproxy:envoy:1.15.3:*:*:*:*:*:*:*

envoy

== None

== 1.15.3

cpe:2.3:a:envoyproxy:envoy:1.16.2:*:*:*:*:*:*:*

envoy

== None

== 1.16.2

cpe:2.3:a:envoyproxy:envoy:1.17.1:*:*:*:*:*:*:*

envoy

== None

== 1.17.1

References

Match rules

Vulnerable and fixed packages