CVE-2021-29492 (High) detected in envoy-wasmae02dc6bdd5c5ea61c3869395d81689e34988156, envoy-wasmae02dc6bdd5c5ea61c3869395d81689e34988156 #4
Description
CVE-2021-29492 - High Severity Vulnerability
Vulnerable Libraries - envoy-wasmae02dc6bdd5c5ea61c3869395d81689e34988156, envoy-wasmae02dc6bdd5c5ea61c3869395d81689e34988156
Vulnerability Details
Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences %2F and %5C in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. /something%2F..%2Fadmin, to bypass access control, e.g. a block on /admin. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy. ### Impact Escalation of Privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret %2F and / and %5C and \ interchangeably are impacted. ### Attack Vector URL paths containing escaped slash characters delivered by untrusted client. Patches in versions 1.18.3, 1.17.3, 1.16.4, 1.15.5 contain new path normalization option to decode escaped slash characters. As a workaround, if back end servers treat %2F and / and %5C and \ interchangeably and a URL path based access control is configured, one may reconfigure the back end server to not treat %2F and / and %5C and \ interchangeably.
Publish Date: 2021-05-28
URL: CVE-2021-29492
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1951188
Release Date: 2021-03-31
Fix Resolution: v1.15.5, v1.16.4, v1.17.3, v1.18.3
Step up your Open Source Security Game with WhiteSource here