{"id":"CVE-2023-35944","summary":"Envoy vulnerable to incorrect handling of HTTP requests and responses with mixed case schemes","details":"Envoy is an open source edge and service proxy designed for cloud-native applications. Envoy allows mixed-case schemes in HTTP/2, however, some internal scheme checks are case-sensitive. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, this can lead to the rejection of requests with mixed-case schemes such as `htTp` or `htTps`, or the bypassing of some requests such as `https` in unencrypted connections. With a fix in versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, Envoy will now lowercase scheme values by default, and change the internal scheme checks that were case-sensitive to be case-insensitive. There are no known workarounds for this issue.","aliases":["BIT-envoy-2023-35944","GHSA-pvgm-7jpg-pw5g"],"modified":"2026-03-14T12:08:19.076906Z","published":"2023-07-25T18:35:59.135Z","database_specific":{"cwe_ids":["CWE-20"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/35xxx/CVE-2023-35944.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/35xxx/CVE-2023-35944.json"},{"type":"ADVISORY","url":"https://github.com/envoyproxy/envoy/security/advisories/GHSA-pvgm-7jpg-pw5g"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-35944"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/envoyproxy/envoy","events":[{"introduced":"51964702956d64adcd1df6b8ea132e863fe78e74"},{"fixed":"cfa32deca25ac57c2bbecdad72807a9b13493fc1"}],"database_specific":{"versions":[{"introduced":"1.26.0"},{"fixed":"1.26.4"}]}},{"type":"GIT","repo":"https://github.com/envoyproxy/envoy","events":[{"introduced":"9184b84cd0dcb3a6c57eb44b177d91c70e1a0901"},{"fixed":"7b2609e12147377b0420bfa4453762e377f218f3"}],"database_specific":{"versions":[{"introduced":"1.25.0"},{"fixed":"1.25.9"}]}},{"type":"GIT","repo":"https://github.com/envoyproxy/envoy","events":[{"introduced":"15baf56003f33a07e0ab44f82f75a660040db438"},{"fixed":"5adb03f52a6399fe5a31fdb603d5009d8d59cdb9"}],"database_specific":{"versions":[{"introduced":"1.24.0"},{"fixed":"1.24.10"}]}},{"type":"GIT","repo":"https://github.com/envoyproxy/envoy","events":[{"introduced":"0"},{"fixed":"9689bc57f80fe56dbb16a4e0d632cde5363d1811"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.23.12"}]}}],"versions":["v1.0.0","v1.1.0","v1.10.0","v1.11.0","v1.12.0","v1.13.0","v1.14.0","v1.15.0","v1.16.0","v1.17.0","v1.18.0","v1.18.1","v1.18.2","v1.19.0","v1.2.0","v1.20.0","v1.21.0","v1.22.0","v1.23.0","v1.23.1","v1.23.10","v1.23.11","v1.23.2","v1.23.3","v1.23.4","v1.23.5","v1.23.6","v1.23.7","v1.23.8","v1.23.9","v1.24.0","v1.24.1","v1.24.2","v1.24.3","v1.24.4","v1.24.5","v1.24.6","v1.24.7","v1.24.8","v1.24.9","v1.25.0","v1.25.1","v1.25.2","v1.25.3","v1.25.4","v1.25.5","v1.25.6","v1.25.7","v1.25.8","v1.26.0","v1.26.1","v1.26.2","v1.26.3","v1.3.0","v1.4.0","v1.5.0","v1.6.0","v1.7.0","v1.8.0","v1.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-35944.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"}]}