{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Envoy master between 2d69e30 and 3b5acb2 may fail to parse request URL that requires host canonicalization."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-01T16:46:06", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/forum/#%21forum/envoy-security-announce"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-fwwh-fc9w-9673"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-25018", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Envoy master between 2d69e30 and 3b5acb2 may fail to parse request URL that requires host canonicalization."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://groups.google.com/forum/#!forum/envoy-security-announce", "refsource": "MISC", "url": "https://groups.google.com/forum/#!forum/envoy-security-announce"}, {"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-fwwh-fc9w-9673", "refsource": "MISC", "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-fwwh-fc9w-9673"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:26:09.334Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://groups.google.com/forum/#%21forum/envoy-security-announce"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-fwwh-fc9w-9673"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-25018", "datePublished": "2020-10-01T16:46:06", "dateReserved": "2020-08-29T00:00:00", "dateUpdated": "2024-08-04T15:26:09.334Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "5B23F321-69BA-459A-83FA-801E0B4E6BF7", "versionEndExcluding": "3b5acb2", "versionStartIncluding": "2d69e30", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Envoy master between 2d69e30 and 3b5acb2 may fail to parse request URL that requires host canonicalization."}, {"lang": "es", "value": "Envoy master versiones entre 2d69e30 y 3b5acb2, puede presentar un fallo al analizar una URL de petici\u00f3n que requiere la canonicalizaci\u00f3n del host"}], "id": "CVE-2020-25018", "lastModified": "2024-11-21T05:16:32.960", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-10-01T17:15:13.387", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-fwwh-fc9w-9673"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21forum/envoy-security-announce"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-fwwh-fc9w-9673"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://groups.google.com/forum/#%21forum/envoy-security-announce"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Envoy security team for reporting this issue.", "bugzilla": {"description": "envoyproxy/envoy: Null pointer deference in URL parsing", "id": "1877605", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1877605"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["Envoy master between 2d69e30 and 3b5acb2 may fail to parse request URL that requires host canonicalization.", "A flaw was found in envoy. An attacker can craft an HTTP request, which uses an Internationalized Domain Name (IDN) as the host component, resulting in an attempt to convert the host name (from Unicode to ASCII) potentially causing a segfault. The highest threat from this vulnerability is to system availability."], "name": "CVE-2020-25018", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-proxy", "product_name": "OpenShift Service Mesh 1"}], "public_date": "2020-09-29T19:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-25018\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-25018\nhttps://github.com/envoyproxy/envoy/security/advisories/GHSA-fwwh-fc9w-9673"], "threat_severity": "Important"}