CVE-2023-27491: 
NixOS vulnerability analysis and mitigation

Envoy, an open source edge and service proxy designed for cloud-native applications, was found to have a vulnerability (CVE-2023-27491) where non-compliant HTTP/1 services may allow malformed requests. This vulnerability affects versions prior to 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, potentially leading to a bypass of security policies. The issue has been fixed in versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 (GitHub Advisory).

The vulnerability stems from Envoy's failure to reject HTTP/2 and HTTP/3 requests with invalid :method values that don't conform to valid tokens as defined in RFC specifications. According to HTTP/2 and HTTP/3 standards, requests must include exactly one value for the :method, :scheme, and :path pseudo-header fields, unless it's a CONNECT request. The presence of invalid characters in pseudo headers can result in sending an invalid request line when proxying from HTTP/2 or HTTP/3 client to HTTP/1 upstream service. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) (GitHub Advisory).

The vulnerability could allow attackers to bypass security policies by sending specifically crafted HTTP/2 or HTTP/3 requests that trigger parsing errors on HTTP/1 upstream services. This could potentially lead to unauthorized access or privilege escalation if the malformed requests are processed by non-compliant HTTP/1 services (GitHub Advisory).

The vulnerability has been fixed in Envoy versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9. Users should upgrade to these patched versions to mitigate the security risk (GitHub Advisory).