Published: 15/04/2020 Updated: 21/07/2021

CVSS v2 Base Score: 2.6 | Impact Score: 2.9 | Exploitability Score: 4.9

CVSS v3 Base Score: 3.1 | Impact Score: 1.4 | Exploitability Score: 1.6

VMScore: 231

Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N

Istio up to and including 1.5.1 and Envoy up to and including 1.14.1 have a data-leak issue. If there is a TCP connection (negotiated with SNI over HTTPS) to *.example.com, a request for a domain concurrently configured explicitly (e.g., abc.example.com) is sent to the server(s) listening behind *.example.com. The outcome should instead be 421 Misdirected Request. Imagine a shared caching forward proxy re-using an HTTP/2 connection for a large subnet with many users. If a victim is interacting with abc.example.com, and a server (for abc.example.com) recycles the TCP connection to the forward proxy, the victim's browser may suddenly start sending sensitive data to a *.example.com server. This occurs because the forward proxy between the victim and the origin server reuses connections (which obeys the specification), but neither Istio nor Envoy corrects this by sending a 421 error. Similarly, this behavior voids the security model browsers have put in place between domains.

Vulnerable Product	Search on Vulmon	Subscribe to Product
envoyproxy envoy
istio istio

NVD-CWE-noinfo https://github.com/istio/istio/issues/9429 https://bugs.chromium.org/p/chromium/issues/detail?id=954160#c5 https://github.com/istio/istio/issues/13589 https://github.com/envoyproxy/envoy/issues/6767 https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2020-11767

Vulnerability Summary

Vulnerability Trend

References

Vulmon Search

About

Products

Connect