VDB
EN
MEDIUM 5.3

GHSA-8fv2-88gg-hm7q

Envoy Gateway: Wasm cache ServeHTTP reads mappingPath2Cache without lock

상세

Vulnerability report without repro case. Repro case may be added later after harness is complete.

**Preconditions (4):** - Pod-network reachability to :18002 (no auth) - Tenant can create EnvoyExtensionPolicy (baseline) - Attacker pod floods GET while churning EnvoyExtensionPolicy with distinct Wasm URLs - Read at :153 must overlap a write at :201/:209 (probabilistic, attacker controls both rates)

**Description:**

httpserver.go:153 reads s.mappingPath2Cache with no lock while httpserver.go:201/209 write it under s.Lock(); the struct uses a plain map. Writer is tenant-reachable via EnvoyExtensionPolicy translation, reader is pod-network-reachable on :18002 with per-request goroutines. Go's concurrent map read+write detection calls runtime.throw, which net/http's per-conn recover cannot catch, so the controller process exits — cross-tenant control-plane DoS. Capped at MEDIUM: DoS-only, k8s restarts pod, timing-dependent trigger.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Go / github.com/envoyproxy/gateway
최초 영향 버전: 1.8.0-rc.0 수정 버전: 1.8.1
수정 go get github.com/envoyproxy/gateway@v1.8.1
Go / github.com/envoyproxy/gateway
최초 영향 버전: 0 수정 버전: 1.7.4
수정 go get github.com/envoyproxy/gateway@v1.7.4

참고