CVE-2024-23323: 
NixOS vulnerability analysis and mitigation

CVE-2024-23323 affects Envoy, a high-performance edge/middle/service proxy. The vulnerability was discovered and disclosed in February 2024, where a regex expression compilation issue was identified in the URI template matcher functionality. The vulnerability affects multiple versions of Envoy including versions prior to 1.29.1, 1.28.1, 1.27.3, and 1.26.7 (GitHub Advisory, NVD).

The vulnerability stems from a design flaw where the regex expression is compiled for every request when using the regex URL template matcher. This implementation leads to inefficient CPU computation and resource consumption. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) by NIST and 4.3 (MEDIUM) by GitHub, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L. The weakness has been categorized under CWE-400 (Uncontrolled Resource Consumption) and CWE-1176 (Inefficient CPU Computation) (NVD).

The primary impact of this vulnerability is potential Denial of Service (DoS) through CPU exhaustion. When multiple routes are configured with regex matchers, the continuous compilation of regex expressions for every request can result in high CPU usage and increased request latency, potentially affecting service availability (GitHub Advisory).

The vulnerability has been addressed in Envoy versions 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade to these patched versions. There are no known workarounds for this vulnerability (NVD).