VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-dd2s-45wa-aaaj

Essentials
Severities (95)
References (10)
Severity details (7)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-dd2s-45wa-aaaj
Aliases	CVE-2021-32780
Summary	Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions Envoy transitions a H/2 connection to the CLOSED state when it receives a GOAWAY frame without any streams outstanding. The connection state is transitioned to DRAINING when it receives a SETTING frame with the SETTINGS_MAX_CONCURRENT_STREAMS parameter set to 0. Receiving these two frames in the same I/O event results in abnormal termination of the Envoy process due to invalid state transition from CLOSED to DRAINING. A sequence of H/2 frames delivered by an untrusted upstream server will result in Denial of Service in the presence of untrusted upstream servers. Envoy versions 1.19.1, 1.18.4 contain fixes to stop processing of pending H/2 frames after connection transition to the CLOSED state.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-754	Improper Check for Unusual or Exceptional Conditions
CWE-20	Improper Input Validation

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-32780.json
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00105	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00105	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00105	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00105	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00116	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00116	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00116	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00116	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00116	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00116	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00116	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00116	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00116	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00116	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00116	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00116	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
epss	0.00162	https://api.first.org/data/v1/epss?cve=CVE-2021-32780
rhbs	high	https://bugzilla.redhat.com/show_bug.cgi?id=1996943
cvssv3.1	8.6	https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8
generic_textual	HIGH	https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8
cvssv2	5.0	https://nvd.nist.gov/vuln/detail/CVE-2021-32780
cvssv3	7.5	https://nvd.nist.gov/vuln/detail/CVE-2021-32780
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2021-32780
archlinux	High	https://security.archlinux.org/AVG-2321

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-32780.json
		https://api.first.org/data/v1/epss?cve=CVE-2021-32780
		https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8
		https://www.envoyproxy.io/docs/envoy/v1.19.0/version_history/version_history
1996943		https://bugzilla.redhat.com/show_bug.cgi?id=1996943
AVG-2321		https://security.archlinux.org/AVG-2321
cpe:2.3:a:envoyproxy:envoy::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:envoyproxy:envoy::::::::
cpe:2.3:a:envoyproxy:envoy:1.19.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:envoyproxy:envoy:1.19.0:::::::*
CVE-2021-32780		https://nvd.nist.gov/vuln/detail/CVE-2021-32780
ISTIO-SECURITY-2021-008		https://istio.io/latest/news/security/ISTIO-SECURITY-2021-008/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-32780.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H Found at https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2021-32780

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-32780

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-32780

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.20258
EPSS Score	0.00077
Published At	March 28, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.