CVE-2020-25017

high

Description

Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header.

References

https://groups.google.com/forum/#%21forum/envoy-security-announce

https://github.com/envoyproxy/envoy/security/advisories/GHSA-2v25-cjjq-5f4w

Details

Source: Mitre, NVD

Published: 2020-10-01

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 8.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Severity: High