CVE-2023-35944: 
NixOS vulnerability analysis and mitigation

Envoy, an open source edge and service proxy designed for cloud-native applications, was found to have a vulnerability (CVE-2023-35944) related to mixed-case schemes in HTTP/2 handling. The vulnerability affects versions prior to 1.27.0, where some internal scheme checks were case-sensitive, leading to potential security issues. The issue was patched in versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 (GitHub Advisory).

The vulnerability stems from Envoy's handling of HTTP/2 requests where mixed-case schemes are allowed, but internal scheme checks are performed case-sensitively. This inconsistency can result in either the rejection of requests with mixed-case schemes (such as 'htTp' or 'htTps') or the potential bypassing of security checks for certain requests like 'https' in unencrypted connections. The vulnerability has been assigned a CVSS v3.1 base score of 8.2 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N (GitHub Advisory).

The vulnerability can lead to security bypass scenarios where requests with mixed schemes might circumvent intended security controls. For example, a request with a mixed scheme 'htTp' sent to the OAuth2 filter could fail exact-match checks for 'http' and incorrectly inform the remote endpoint that the scheme is 'https', potentially bypassing OAuth2 checks specific to HTTP requests (GitHub Advisory).

The vulnerability has been fixed in Envoy versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12. The fix implements lowercase scheme values by default and changes the internal scheme checks to be case-insensitive. No workarounds were available for this issue prior to the patch (GitHub Advisory).