What is CVE-2021-32781?

CVE-2021-32781 is a vulnerability in Envoy, an open-source L7 proxy and communication bus, which allows further processing of request or response data after a locally generated response is sent.

What is the severity of CVE-2021-32781?

The severity of CVE-2021-32781 is high with a CVSS score of 7.5.

How does CVE-2021-32781 affect Envoy?

CVE-2021-32781 affects versions of Envoy from 1.16.0 to 1.16.5, 1.17.0 to 1.17.4, 1.18.0 to 1.18.4, and 1.19.0.

How can I fix CVE-2021-32781 in Envoy?

To fix CVE-2021-32781, upgrade Envoy to version 1.19.0 or apply the necessary patches provided by EnvoyProxy.

Where can I find more information about CVE-2021-32781?

More information about CVE-2021-32781 can be found in the EnvoyProxy security advisory: <a href='https://github.com/envoyproxy/envoy/security/advisories/GHSA-5vhv-gp9v-42qv'>https://github.com/envoyproxy/envoy/security/advisories/GHSA-5vhv-gp9v-42qv</a>

Vulnerability/
CVE-2021-32781

high

8.6

CWE

120 416 119

24/8/2021

3/8/2024

CVE-2021-32781: Continued processing of requests after locally generated response

First published: Tue Aug 24 2021(Updated: )

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions after Envoy sends a locally generated response it must stop further processing of request or response data. However when local response is generated due the internal buffer overflow while request or response is processed by the filter chain the operation may not be stopped completely and result in accessing a freed memory block. A specifically constructed request delivered by an untrusted downstream or upstream peer in the presence of extensions that modify and increase the size of request or response bodies resulting in a Denial of Service when using extensions that modify and increase the size of request or response bodies, such as decompressor filter. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to address incomplete termination of request processing after locally generated response. As a workaround disable Envoy's decompressor, json-transcoder or grpc-web extensions or proprietary extensions that modify and increase the size of request or response bodies, if feasible.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Envoy Proxy	>=1.16.0<1.16.5
Envoy Proxy	>=1.17.0<1.17.4
Envoy Proxy	>=1.18.0<1.18.4
Envoy Proxy	=1.19.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-32781?
CVE-2021-32781 is a vulnerability in Envoy, an open-source L7 proxy and communication bus, which allows further processing of request or response data after a locally generated response is sent.
What is the severity of CVE-2021-32781?
The severity of CVE-2021-32781 is high with a CVSS score of 7.5.
How does CVE-2021-32781 affect Envoy?
CVE-2021-32781 affects versions of Envoy from 1.16.0 to 1.16.5, 1.17.0 to 1.17.4, 1.18.0 to 1.18.4, and 1.19.0.
How can I fix CVE-2021-32781 in Envoy?
To fix CVE-2021-32781, upgrade Envoy to version 1.19.0 or apply the necessary patches provided by EnvoyProxy.
Where can I find more information about CVE-2021-32781?
More information about CVE-2021-32781 can be found in the EnvoyProxy security advisory: <a href='https://github.com/envoyproxy/envoy/security/advisories/GHSA-5vhv-gp9v-42qv'>https://github.com/envoyproxy/envoy/security/advisories/GHSA-5vhv-gp9v-42qv</a>

agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/author
agent/title
agent/last-modified-date
agent/weakness
agent/severity
agent/description
agent/first-publish-date
agent/event
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/envoyproxy
canonical/envoy proxy
version/envoy proxy/1.16.0
version/envoy proxy/1.17.0
version/envoy proxy/1.18.0
version/envoy proxy/1.19.0