CVE-2021-29492 – Bypass of path matching rules using escaped slash characters

https://notcve.org/view.php?id=CVE-2021-29492

Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control, e.g. a block on `/admin`. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy. ### Impact Escalation of Privileges when using RBAC or JWT filters with enforcement based on URL path. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-4987-27fx-x6cf https://access.redhat.com/security/cve/CVE-2021-29492 https://bugzilla.redhat.com/show_bug.cgi?id=1951188 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-863: Incorrect Authorization •