CVE-2021-29492

Bypass of path matching rules using escaped slash characters

Severity Score

8.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control, e.g. a block on `/admin`. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy. ### Impact Escalation of Privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret `%2F` and `/` and `%5C` and `\` interchangeably are impacted. ### Attack Vector URL paths containing escaped slash characters delivered by untrusted client. Patches in versions 1.18.3, 1.17.3, 1.16.4, 1.15.5 contain new path normalization option to decode escaped slash characters. As a workaround, if back end servers treat `%2F` and `/` and `%5C` and `\` interchangeably and a URL path based access control is configured, one may reconfigure the back end server to not treat `%2F` and `/` and `%5C` and `\` interchangeably.

Envoy es un proxy de borde/medio/servicio nativo de la nube. Envoy no descifra las secuencias de barras diagonales escapadas `%2F` y `%5C` en las rutas URL HTTP en las versiones 1.18.2 y anteriores. Un atacante remoto puede crear una ruta con barras escapadas, por ejemplo `algo%2F..%2Fadmin`, para saltarse el control de acceso, por ejemplo, un bloqueo en `/admin`. Un servidor backend podría entonces decodificar las secuencias de barras y normalizar la ruta y proporcionar a un atacante acceso más allá del alcance previsto por la política de control de acceso. ### Impacto Escalada de Privilegios cuando se utilizan filtros RBAC o JWT con aplicación basada en la ruta de la URL. Los usuarios con servidores de back-end que interpretan `%2F` y `/` y `%5C` y `\` indistintamente están impactados. ### Vector de ataque Rutas de URL que contienen caracteres de barra diagonal escapados entregados por un cliente que no es de confianza. Los parches de las versiones 1.18.3, 1.17.3, 1.16.4 y 1.15.5 contienen una nueva opción de normalización de rutas para descodificar los caracteres de barra diagonal escapados. Como solución, si los servidores finales tratan `%2F` y `/` y `%5C` y `\` indistintamente y se configura un control de acceso basado en la ruta de la URL, se puede reconfigurar el servidor final para que no trate `%2F` y `/` y `%5C` y `\` indistintamente

An authorization bypass vulnerability was found in envoyproxy/envoy. An attacker can potentially craft an HTTP request that defines a certain pattern of escaped characters in the URI path (such as %2F, %2f, %5C or %5c), allowing them to bypass the envoy authorization service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-03-30 CVE Reserved
2021-05-12 CVE Published
2024-05-31 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-863: Incorrect Authorization

CAPEC

References (3)

URL	Tag	Source
https://github.com/envoyproxy/envoy/security/advisories/GHSA-4987-27fx-x6cf	Mitigation

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2021-29492	2021-05-11
https://bugzilla.redhat.com/show_bug.cgi?id=1951188	2021-05-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				< 1.15.5 Search vendor "Envoyproxy" for product "Envoy" and version " < 1.15.5"		-		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.16.0 < 1.16.4 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.16.0 < 1.16.4"		-		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.17.0 < 1.17.3 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.17.0 < 1.17.3"		-		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.18.0 < 1.18.3 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.18.0 < 1.18.3"		-		Affected