Description
A flaw was found in Envoy. It is possible to modify or manipulate headers from external clients when pass-through routes are used for the ingress gateway. This issue could allow a malicious user to forge what is logged by Envoy as a requested path and cause the Envoy proxy to make requests to internal-only services or arbitrary external systems. This is a regression of the fix for CVE-2023-27487.
Remediation
References
Related Vulnerabilities
Internet Information Services Other Vulnerability (CVE-2000-0071)
PostgreSQL Permissions, Privileges, and Access Controls Vulnerability (CVE-2016-0766)
WordPress Plugin WP Maps-Display Google Maps Perfectly with Ease Cross-Site Request Forgery (4.0.9)
WordPress Plugin Kino Gallery TimThumb Arbitrary File Upload (1.0)