Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2021-29492

Published: 28/05/2021 Updated: 10/12/2021
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 8.3 | Impact Score: 3.7 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Envoyproxy

Vulnerability Summary

Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control, e.g. a block on `/admin`. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy. ### Impact Escalation of Privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret `%2F` and `/` and `%5C` and `\` interchangeably are impacted. ### Attack Vector URL paths containing escaped slash characters delivered by untrusted client. Patches in versions 1.18.3, 1.17.3, 1.16.4, 1.15.5 contain new path normalization option to decode escaped slash characters. As a workaround, if back end servers treat `%2F` and `/` and `%5C` and `\` interchangeably and a URL path based access control is configured, one may reconfigure the back end server to not treat `%2F` and `/` and `%5C` and `\` interchangeably.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

envoyproxy envoy

Vendor Advisories

Red Hat: CVE-2021-29492
An authorization bypass vulnerability was found in envoyproxy/envoy An attacker can potentially craft an HTTP request that defines a certain pattern of escaped characters in the URI path (such as %2F, %2f, %5C or %5c), allowing them to bypass the envoy authorization service The highest threat from this vulnerability is to data confidentiality and ...
Arch Linux Issues:
Envoy before version 1183, and subsequently Istio before version 195, contains a remotely exploitable authorization bypass vulnerability An attacker can potentially craft an HTTP request that defines a certain pattern of escaped characters in the URI path (such as %2F, %2f, %5C or %5c), allowing them to bypass the authorization service ...

Github Repositories

https://github.com/datawire/ambassador-docs

Official Ambassador API Gateway Documentation repository

Ambassador Documentation The documentation in this repository is built with Gatsby, which gives us control and flexibility over the layout Contributing We welcome all contributions! See LICENSE for applicable terms and conditions Authoring Documentation If you're authoring the documentation, just edit the Markdown files You can use GitHub to preview the Markdown String

References

CWE-22https://github.com/envoyproxy/envoy/security/advisories/GHSA-4987-27fx-x6cfhttps://nvd.nist.govhttps://github.com/datawire/ambassador-docshttps://access.redhat.com/security/cve/cve-2021-29492
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2021-35000CVE-2024-4439unauthorizedCVE-2024-0042CVE-2024-31848CVE-2023-40694cache poisoningCVE-2024-23707firmware
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook