Hello Envoy Community,
We are announcing an upcoming release to address an Envoy vulnerability in HTTP route configuration. This vulnerability was assigned CVE-2024-39305 id. Envoy's versions v1.30.3, v1.29.6, v1.28.4, v1.27.6 and earlier are affected. New releases are in progress and will be announced as soon as they are published.
During our evaluation we found that the cookie attribute configuration was trivially broken and could not function when enabled in production, and thus can be fixed in the open, bypassing the security process.
Thanks,
Yan Avlasov (on behalf of the Envoy security team)