CVSS 3.1 Score 8.6 of 10 (high)


Published Jul 25, 2023
Updated: Aug 2, 2023
CWE ID 116


CVE-2023-35941 is a vulnerability that affects Envoy, an open source edge and service proxy used for cloud-native applications. The vulnerability exists in versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, allowing a malicious client to construct credentials with permanent validity in certain scenarios due to rare occurrences in the OAuth2 filter's check of HMAC payload validity. The issue has been addressed in the mentioned fixed versions of Envoy. As a workaround, organizations can avoid using wildcards or prefix domain wildcards in the host's domain configuration to mitigate the vulnerability's impact. The potential danger posed by this vulnerability is rated as high, with a base severity score of 8.6 out of 10 and high confidentiality impact.


Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2023-35941 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options