Denial of service vulnerability in getenvoy-envoy - CVE-2024-30255 (rpm)ID: oval:org.secpod.oval:def:99608 | Date: (C)2024-04-29 (M)2024-04-29 |
Class: VULNERABILITY | Family: unix |
The host is installed with getenvoy-envoy version 1.29.0 before 1.29.3, 1.28.0 before 1.28.2, 1.27.0 before 1.27.4, or before 1.26.8 and is prone to a denial of service vulnerability. A flaw is present in the application, which fails to properly handle issues in HTTP/2 codec. On successful exploitation, An attacker can send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic.