CNNVD-202601-1817 Information

CNNVD ID

CNNVD-202601-1817

Related CVE

CVE-2026-22771

• CNNVD Published: 2026-01-12

Description (Chinese)

Envoy Gateway是Envoy Proxy开源的一个将 Envoy 代理作为独立或基于 Kubernetes 的应用程序网关。 Envoy Gateway 1.5.7之前版本和1.6.2之前版本存在代码注入漏洞，该漏洞源于EnvoyExtensionPolicy Lua脚本可能泄露代理凭据，进而可能导致攻击者访问控制平面并获取Envoy代理使用的所有密钥。

Description (English)

Envoy Gateway is an application gateway with Envoy Proxy proxy as an independent or Kubernetes-based application. Envoy Gateway 1.5.7 and 1.6.2 had a code-injection loophole, which originated from the possibility that the EnvoyExtensionpolicy Lua script might reveal proxy documents, which in turn could lead to attackers accessing the control plane and obtaining all the keys used by Envoy agents.

Hazard Level

Medium

Vulnerability Type

代码注入

Affected Vendor

Envoy Proxy

Published

2026-01-12

Last Modified

2026-02-24

References

https://github.com/envoyproxy/gateway/security/advisories/GHSA-xrwg-mqj6-6m22

Patch

https://github.com/envoyproxy/gateway/releases