// For flags

CVE-2021-29492

Bypass of path matching rules using escaped slash characters

Severity Score

8.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control, e.g. a block on `/admin`. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy. ### Impact Escalation of Privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret `%2F` and `/` and `%5C` and `\` interchangeably are impacted. ### Attack Vector URL paths containing escaped slash characters delivered by untrusted client. Patches in versions 1.18.3, 1.17.3, 1.16.4, 1.15.5 contain new path normalization option to decode escaped slash characters. As a workaround, if back end servers treat `%2F` and `/` and `%5C` and `\` interchangeably and a URL path based access control is configured, one may reconfigure the back end server to not treat `%2F` and `/` and `%5C` and `\` interchangeably.

Envoy es un proxy de borde/medio/servicio nativo de la nube. Envoy no descifra las secuencias de barras diagonales escapadas `%2F` y `%5C` en las rutas URL HTTP en las versiones 1.18.2 y anteriores. Un atacante remoto puede crear una ruta con barras escapadas, por ejemplo `algo%2F..%2Fadmin`, para saltarse el control de acceso, por ejemplo, un bloqueo en `/admin`. Un servidor backend podría entonces decodificar las secuencias de barras y normalizar la ruta y proporcionar a un atacante acceso más allá del alcance previsto por la política de control de acceso. ### Impacto Escalada de Privilegios cuando se utilizan filtros RBAC o JWT con aplicación basada en la ruta de la URL. Los usuarios con servidores de back-end que interpretan `%2F` y `/` y `%5C` y `\` indistintamente están impactados. ### Vector de ataque Rutas de URL que contienen caracteres de barra diagonal escapados entregados por un cliente que no es de confianza. Los parches de las versiones 1.18.3, 1.17.3, 1.16.4 y 1.15.5 contienen una nueva opción de normalización de rutas para descodificar los caracteres de barra diagonal escapados. Como solución, si los servidores finales tratan `%2F` y `/` y `%5C` y `\` indistintamente y se configura un control de acceso basado en la ruta de la URL, se puede reconfigurar el servidor final para que no trate `%2F` y `/` y `%5C` y `\` indistintamente

An authorization bypass vulnerability was found in envoyproxy/envoy. An attacker can potentially craft an HTTP request that defines a certain pattern of escaped characters in the URI path (such as %2F, %2f, %5C or %5c), allowing them to bypass the envoy authorization service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-03-30 CVE Reserved
  • 2021-05-12 CVE Published
  • 2024-05-31 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-863: Incorrect Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Envoyproxy
Search vendor "Envoyproxy"
Envoy
Search vendor "Envoyproxy" for product "Envoy"
< 1.15.5
Search vendor "Envoyproxy" for product "Envoy" and version " < 1.15.5"
-
Affected
Envoyproxy
Search vendor "Envoyproxy"
Envoy
Search vendor "Envoyproxy" for product "Envoy"
>= 1.16.0 < 1.16.4
Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.16.0 < 1.16.4"
-
Affected
Envoyproxy
Search vendor "Envoyproxy"
Envoy
Search vendor "Envoyproxy" for product "Envoy"
>= 1.17.0 < 1.17.3
Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.17.0 < 1.17.3"
-
Affected
Envoyproxy
Search vendor "Envoyproxy"
Envoy
Search vendor "Envoyproxy" for product "Envoy"
>= 1.18.0 < 1.18.3
Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.18.0 < 1.18.3"
-
Affected