CVE-2021-29492
Bypass of path matching rules using escaped slash characters
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control, e.g. a block on `/admin`. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy. ### Impact Escalation of Privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret `%2F` and `/` and `%5C` and `\` interchangeably are impacted. ### Attack Vector URL paths containing escaped slash characters delivered by untrusted client. Patches in versions 1.18.3, 1.17.3, 1.16.4, 1.15.5 contain new path normalization option to decode escaped slash characters. As a workaround, if back end servers treat `%2F` and `/` and `%5C` and `\` interchangeably and a URL path based access control is configured, one may reconfigure the back end server to not treat `%2F` and `/` and `%5C` and `\` interchangeably.
Envoy es un proxy de borde/medio/servicio nativo de la nube. Envoy no descifra las secuencias de barras diagonales escapadas `%2F` y `%5C` en las rutas URL HTTP en las versiones 1.18.2 y anteriores. Un atacante remoto puede crear una ruta con barras escapadas, por ejemplo `algo%2F..%2Fadmin`, para saltarse el control de acceso, por ejemplo, un bloqueo en `/admin`. Un servidor backend podría entonces decodificar las secuencias de barras y normalizar la ruta y proporcionar a un atacante acceso más allá del alcance previsto por la política de control de acceso. ### Impacto Escalada de Privilegios cuando se utilizan filtros RBAC o JWT con aplicación basada en la ruta de la URL. Los usuarios con servidores de back-end que interpretan `%2F` y `/` y `%5C` y `\` indistintamente están impactados. ### Vector de ataque Rutas de URL que contienen caracteres de barra diagonal escapados entregados por un cliente que no es de confianza. Los parches de las versiones 1.18.3, 1.17.3, 1.16.4 y 1.15.5 contienen una nueva opción de normalización de rutas para descodificar los caracteres de barra diagonal escapados. Como solución, si los servidores finales tratan `%2F` y `/` y `%5C` y `\` indistintamente y se configura un control de acceso basado en la ruta de la URL, se puede reconfigurar el servidor final para que no trate `%2F` y `/` y `%5C` y `\` indistintamente
An authorization bypass vulnerability was found in envoyproxy/envoy. An attacker can potentially craft an HTTP request that defines a certain pattern of escaped characters in the URI path (such as %2F, %2f, %5C or %5c), allowing them to bypass the envoy authorization service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-03-30 CVE Reserved
- 2021-05-12 CVE Published
- 2024-05-31 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-863: Incorrect Authorization
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://github.com/envoyproxy/envoy/security/advisories/GHSA-4987-27fx-x6cf | Mitigation |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2021-29492 | 2021-05-11 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1951188 | 2021-05-11 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Envoyproxy Search vendor "Envoyproxy" | Envoy Search vendor "Envoyproxy" for product "Envoy" | < 1.15.5 Search vendor "Envoyproxy" for product "Envoy" and version " < 1.15.5" | - |
Affected
| ||||||
Envoyproxy Search vendor "Envoyproxy" | Envoy Search vendor "Envoyproxy" for product "Envoy" | >= 1.16.0 < 1.16.4 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.16.0 < 1.16.4" | - |
Affected
| ||||||
Envoyproxy Search vendor "Envoyproxy" | Envoy Search vendor "Envoyproxy" for product "Envoy" | >= 1.17.0 < 1.17.3 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.17.0 < 1.17.3" | - |
Affected
| ||||||
Envoyproxy Search vendor "Envoyproxy" | Envoy Search vendor "Envoyproxy" for product "Envoy" | >= 1.18.0 < 1.18.3 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.18.0 < 1.18.3" | - |
Affected
|