{"containers": {"cna": {"affected": [{"product": "envoy", "vendor": "envoyproxy", "versions": [{"status": "affected", "version": ">= 1.7.0, < 1.18.6"}, {"status": "affected", "version": ">= 1.19.0, < 1.19.3"}, {"status": "affected", "version": ">= 1.20.0, < 1.20.2"}, {"status": "affected", "version": ">= 1.21.0, < 1.21.1"}]}], "descriptions": [{"lang": "en", "value": "Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-22T22:35:11.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353"}], "source": {"advisory": "GHSA-5j4x-g36v-m283", "discovery": "UNKNOWN"}, "title": "Incorrect configuration handling allows TLS session re-use without re-validation in Envoy", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-21654", "STATE": "PUBLIC", "TITLE": "Incorrect configuration handling allows TLS session re-use without re-validation in Envoy"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "envoy", "version": {"version_data": [{"version_value": ">= 1.7.0, < 1.18.6"}, {"version_value": ">= 1.19.0, < 1.19.3"}, {"version_value": ">= 1.20.0, < 1.20.2"}, {"version_value": ">= 1.21.0, < 1.21.1"}]}}]}, "vendor_name": "envoyproxy"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-295: Improper Certificate Validation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283", "refsource": "CONFIRM", "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283"}, {"name": "https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353", "refsource": "MISC", "url": "https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353"}]}, "source": {"advisory": "GHSA-5j4x-g36v-m283", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:46:39.224Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T15:55:41.314206Z", "id": "CVE-2022-21654", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T19:01:27.096Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-21654", "datePublished": "2022-02-22T22:35:11.000Z", "dateReserved": "2021-11-16T00:00:00.000Z", "dateUpdated": "2025-04-23T19:01:27.096Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:46:39.224Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-21654", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-23T15:55:41.314206Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T15:55:43.079Z"}}], "cna": {"title": "Incorrect configuration handling allows TLS session re-use without re-validation in Envoy", "source": {"advisory": "GHSA-5j4x-g36v-m283", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "envoyproxy", "product": "envoy", "versions": [{"status": "affected", "version": ">= 1.7.0, < 1.18.6"}, {"status": "affected", "version": ">= 1.19.0, < 1.19.3"}, {"status": "affected", "version": ">= 1.20.0, < 1.20.2"}, {"status": "affected", "version": ">= 1.21.0, < 1.21.1"}]}], "references": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-02-22T22:35:11.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, "source": {"advisory": "GHSA-5j4x-g36v-m283", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": ">= 1.7.0, < 1.18.6"}, {"version_value": ">= 1.19.0, < 1.19.3"}, {"version_value": ">= 1.20.0, < 1.20.2"}, {"version_value": ">= 1.21.0, < 1.21.1"}]}, "product_name": "envoy"}]}, "vendor_name": "envoyproxy"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283", "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283", "refsource": "CONFIRM"}, {"url": "https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353", "name": "https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-295: Improper Certificate Validation"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-21654", "STATE": "PUBLIC", "TITLE": "Incorrect configuration handling allows TLS session re-use without re-validation in Envoy", "ASSIGNER": "security-advisories@github.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-21654", "state": "PUBLISHED", "dateUpdated": "2025-04-23T19:01:27.096Z", "dateReserved": "2021-11-16T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-02-22T22:35:11.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "62EFF3F2-C20D-497C-ADEC-9FF2FD141466", "versionEndExcluding": "1.18.6", "versionStartIncluding": "1.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "2812AC62-44B5-4077-862D-A221CD88981D", "versionEndExcluding": "1.19.3", "versionStartIncluding": "1.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "F5441B2D-F807-4ED9-AFB9-ED4DE07CE5F8", "versionEndExcluding": "1.20.2", "versionStartIncluding": "1.20.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "83895D03-DAD1-4893-8A1C-F9143DEEC172", "versionEndExcluding": "1.21.1", "versionStartIncluding": "1.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade."}, {"lang": "es", "value": "Envoy es un proxy de borde y servicio de c\u00f3digo abierto, dise\u00f1ado para aplicaciones nativas de la nube. El tls de Envoy permite la reutilizaci\u00f3n cuando algunos ajustes de validaci\u00f3n de cert han cambiado de su configuraci\u00f3n por defecto. La \u00fanica medida de mitigaci\u00f3n para este problema es asegurarse de que es usada la configuraci\u00f3n tls por defecto. Es recomendado a usuarios actualizar"}], "id": "CVE-2022-21654", "lastModified": "2024-11-21T06:45:09.843", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-22T23:15:11.103", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2022:1276", "cpe": "cpe:/a:redhat:service_mesh:2.0::el8", "package": "servicemesh-proxy-0:2.0.9-3.el8", "product_name": "OpenShift Service Mesh 2.0", "release_date": "2022-04-07T00:00:00Z"}, {"advisory": "RHSA-2022:1275", "cpe": "cpe:/a:redhat:service_mesh:2.1::el8", "package": "servicemesh-proxy-0:2.1.2-4.el8", "product_name": "OpenShift Service Mesh 2.1", "release_date": "2022-04-07T00:00:00Z"}], "bugzilla": {"description": "envoy: Incorrect configuration handling allows mTLS session re-use without re-validation", "id": "2050753", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2050753"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "status": "verified"}, "cwe": "CWE-367", "details": ["Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade.", "A flaw was found in envoy. When certificate validation settings are changed, incorrect configuration handling allows TLS session reuse without revalidation."], "name": "CVE-2022-21654", "public_date": "2022-02-22T07:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-21654\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-21654\nhttps://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283"], "threat_severity": "Important"}