CVE-2024-32975

Public on 2024-06-04

Modified on 2024-06-14

Description

Envoy is a cloud-native, open source edge and service proxy. There is a crash at `QuicheDataReader::PeekVarInt62Length()`. It is caused by integer underflow in the `QuicStreamSequencerBuffer::PeekRegion()` implementation.

Severity

Medium

CVSS v3 Base Score

5.9

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory	Status
Amazon Linux 2 - Ecs Extra	ecs-service-connect-agent	2024-06-19	ALAS2ECS-2024-037	Fixed
Amazon Linux 2023	ecs-service-connect-agent	2024-06-19	ALAS2023-2024-647	Fixed

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD	CVSSv3	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Red Hat: CVE-2024-32975 Mitre: CVE-2024-32975