CVE-2020-11767

Severity Score

3.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Istio through 1.5.1 and Envoy through 1.14.1 have a data-leak issue. If there is a TCP connection (negotiated with SNI over HTTPS) to *.example.com, a request for a domain concurrently configured explicitly (e.g., abc.example.com) is sent to the server(s) listening behind *.example.com. The outcome should instead be 421 Misdirected Request. Imagine a shared caching forward proxy re-using an HTTP/2 connection for a large subnet with many users. If a victim is interacting with abc.example.com, and a server (for abc.example.com) recycles the TCP connection to the forward proxy, the victim's browser may suddenly start sending sensitive data to a *.example.com server. This occurs because the forward proxy between the victim and the origin server reuses connections (which obeys the specification), but neither Istio nor Envoy corrects this by sending a 421 error. Similarly, this behavior voids the security model browsers have put in place between domains.

Istio versiones hasta 1.5.1 y Envoy versiones hasta 1.14.1, presenta un problema de pérdida de datos. Si existe una conexión TCP (negociada con SNI a través de HTTPS) a *.example.com, se envía una petición de un dominio configurado de manera simultánea explícitamente (por ejemplo, abc.example.com) hacia los servidores que escuchan detrás de * .example.com. El resultado en su lugar debería ser 421 Misdirected Request. Imagine un proxy directo de almacenamiento en caché compartido que reutiliza una conexión HTTP/2 para una subred grande con muchos usuarios. Si una víctima está interactuando con abc.example.com, y un servidor (para abc.example.com) recicla la conexión TCP al proxy directo, el navegador de la víctima puede comenzar a enviar datos confidenciales hacia un servidor *.example.com. Esto ocurre porque el proxy de reenvío entre la víctima y el servidor de origen reutiliza las conexiones (que obedecen la especificación), pero ni Istio ni Envoy corrigen esto al enviar un error 421. Del mismo modo, este comportamiento anula los modelos de seguridad que los navegadores han implementado entre dominios.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-04-15 CVE Reserved
2020-04-15 CVE Published
2023-03-07 EPSS Updated
2024-08-04 CVE Updated
2024-08-04 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CAPEC

References (4)

URL	Tag	Source
https://bugs.chromium.org/p/chromium/issues/detail?id=954160#c5	Issue Tracking
https://github.com/envoyproxy/envoy/issues/6767	Third Party Advisory
https://github.com/istio/istio/issues/9429	Third Party Advisory

URL	Date	SRC
https://github.com/istio/istio/issues/13589	2024-08-04

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				<= 1.14.1 Search vendor "Envoyproxy" for product "Envoy" and version " <= 1.14.1"		-		Affected
Istio Search vendor "Istio"		Istio Search vendor "Istio" for product "Istio"				<= 1.5.1 Search vendor "Istio" for product "Istio" and version " <= 1.5.1"		-		Affected