// For flags

CVE-2021-32779

Incorrectly handling of URI '#fragment' element as part of the path element

Severity Score

8.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy incorrectly handled a URI '#fragment' element as part of the path element. Envoy is configured with an RBAC filter for authorization or similar mechanism with an explicit case of a final "/admin" path element, or is using a negative assertion with final path element of "/admin". The client sends request to "/app1/admin#foo". In Envoy prior to 1.18.0, or 1.18.0+ configured with path_normalization=false. Envoy treats fragment as a suffix of the query string when present, or as a suffix of the path when query string is absent, so it evaluates the final path element as "/admin#foo" and mismatches with the configured "/admin" path element. In Envoy 1.18.0+ configured with path_normalization=true. Envoy transforms this to /app1/admin%23foo and mismatches with the configured /admin prefix. The resulting URI is sent to the next server-agent with the offending "#foo" fragment which violates RFC3986 or with the nonsensical "%23foo" text appended. A specifically constructed request with URI containing '#fragment' element delivered by an untrusted client in the presence of path based request authorization resulting in escalation of Privileges when path based request authorization extensions. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes that removes fragment from URI path in incoming requests.

Envoy es un proxy L7 de código abierto y un bus de comunicación diseñado para grandes arquitecturas modernas orientadas a servicios. En las versiones afectadas, Envoy manejaba inapropiadamente un elemento URI "#fragment" como parte del elemento path. Envoy está configurado con un filtro RBAC para la autorización o un mecanismo similar con un caso explícito de un elemento de ruta final "/admin", o está usando una aserción negativa con un elemento de ruta final de "/admin". El cliente envía la petición a "/app1/admin#foo". En Envoy versiones anteriores a 1.18.0, o 1.18.0+ configurado con path_normalization=false. Envoy trata el fragmento como un sufijo de la cadena de consulta cuando está presente, o como un sufijo de la ruta cuando la cadena de consulta está ausente, por lo que evalúa el elemento final de la ruta como "/admin#foo" y no coincide con el elemento configurado de la ruta "/admin". En Envoy 1.18.0+ configurado con path_normalization=true. Envoy transforma esto en /app1/admin%23foo y no coincide con el prefijo /admin configurado. El URI resultante es enviado al siguiente agente-servidor con el fragmento "#foo" que viola la RFC3986 o con el texto sin sentido "%23foo" añadido. Una petición específicamente construida con un URI que contiene el elemento "#fragment" entregado por un cliente no confiable en presencia de una autorización de petición basada en la ruta de acceso, resultando en una escalada de Privilegios cuando las extensiones de autorización de peticiones son basadas en la ruta de acceso. Envoy versiones 1.19.1, 1.18.4, 1.17.4 y 1.16.5, contienen correcciones que eliminan el fragmento de la ruta URI en las peticiones entrantes.

An authorization bypass vulnerability was found in envoyproxy/envoy. When a URI path-based authorization policy is specified, envoy incorrectly evaluates the HTTP request which contains a URI #fragment. This flaw allows an attacker to bypass the authorization policy and access downstream services. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-05-12 CVE Reserved
  • 2021-08-24 CVE Published
  • 2024-05-09 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
  • CWE-697: Incorrect Comparison
  • CWE-863: Incorrect Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Envoyproxy
Search vendor "Envoyproxy"
Envoy
Search vendor "Envoyproxy" for product "Envoy"
>= 1.16.0 < 1.16.5
Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.16.0 < 1.16.5"
-
Affected
Envoyproxy
Search vendor "Envoyproxy"
Envoy
Search vendor "Envoyproxy" for product "Envoy"
>= 1.17.0 < 1.17.4
Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.17.0 < 1.17.4"
-
Affected
Envoyproxy
Search vendor "Envoyproxy"
Envoy
Search vendor "Envoyproxy" for product "Envoy"
>= 1.18.0 < 1.18.4
Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.18.0 < 1.18.4"
-
Affected
Envoyproxy
Search vendor "Envoyproxy"
Envoy
Search vendor "Envoyproxy" for product "Envoy"
1.19.0
Search vendor "Envoyproxy" for product "Envoy" and version "1.19.0"
-
Affected