CVE-2022-23606
MEDIUMEnvoy 1.20.0-1.20.1 - Denial of Service via Cluster Deletion Recursion
Title source: llmDescription
Envoy is an open source edge and service proxy, designed for cloud-native applications. When a cluster is deleted via Cluster Discovery Service (CDS) all idle connections established to endpoints in that cluster are disconnected. A recursion was introduced in the procedure of disconnecting idle connections that can lead to stack exhaustion and abnormal process termination when a cluster has a large number of idle connections. This infinite recursion causes Envoy to crash. Users are advised to upgrade.
References (2)
Core 2
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://github.com/envoyproxy/envoy/security/advisories/GHSA-9vp2-4cp7-vvxf
Patch, Third Party Advisory x_refsource_misc
https://github.com/envoyproxy/envoy/commit/4b6dd3b53cd5c6d4d4df378a2fc62c1707522b31
Scores
CVSS v3
4.4
EPSS
0.0098
EPSS Percentile
57.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-674
Status
published
Products (2)
envoyproxy/envoy
1.21.0
envoyproxy/envoy
1.20.0 - 1.20.2
Published
Feb 22, 2022
Tracked Since
Feb 18, 2026