CVE-2021-43824: 
NixOS vulnerability analysis and mitigation

Envoy, an open source edge and service proxy designed for cloud-native applications, was found to contain a vulnerability identified as CVE-2021-43824. The vulnerability was discovered when a crafted CONNECT request sent to a JWT filter configured with regex match could cause Envoy to crash. This security issue was disclosed in November 2021 and affected Envoy versions 1.21.0 and earlier (GitHub Advisory).

The vulnerability stems from a null pointer dereference condition in the JWT authentication filter when configured with regex matching. The issue occurs specifically when processing CONNECT requests with the JWT filter using safe_regex match on the Host header. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H), indicating a moderate severity level (GitHub Advisory).

The primary impact of this vulnerability is a Denial of Service (DoS) condition through application crash. When successfully exploited, the vulnerability could allow an attacker to cause the Envoy proxy to crash, potentially disrupting service availability for cloud-native applications relying on Envoy for edge and service proxy functionality (GitHub Advisory).

The vulnerability has been patched in Envoy versions 1.18.6, 1.19.3, 1.20.2, and 1.21.1. As a temporary workaround, users are advised not to use regex in the JWT filter configuration. Users should upgrade to the patched versions to fully address the vulnerability (GitHub Advisory).