CVE-2021-32783
Authorization bypass in Contour
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy remotely (a denial of service), or to expose the existence of any Secret that Envoy is using for its configuration, including most notably TLS Keypairs. However, it *cannot* be used to get the *content* of those secrets. Since this attack allows access to the administration interface, a variety of administration options are available, such as shutting down the Envoy or draining traffic. In general, the Envoy admin interface cannot easily be used for making changes to the cluster, in-flight requests, or backend services, but it could be used to shut down or drain Envoy, change traffic routing, or to retrieve secret metadata, as mentioned above. The issue will be addressed in Contour v1.18.0 and a cherry-picked patch release, v1.17.1, has been released to cover users who cannot upgrade at this time. For more details refer to the linked GitHub Security Advisory.
Contour es un controlador de entrada de Kubernetes usando el proxy Envoy. En Contour versiones anteriores a 1.17.1 se puede usar un servicio de tipo ExternalName especialmente diseñado para acceder a la interfaz de administración de Envoy, que Contour normalmente impide el acceso fuera del contenedor Envoy. Esto puede ser usado para cerrar Envoy de forma remota (una denegación de servicio), o para exponer la existencia de cualquier secreto que Envoy esté usando para su configuración, incluyendo especialmente los pares de claves TLS. Sin embargo, *no* puede ser usado para obtener el *contenido* de esos secretos. Dado que este ataque permite el acceso a la interfaz de administración, se presentan diversas opciones de administración, como apagar el Envoy o drenar el tráfico. En general, la interfaz de administración de Envoy no puede ser usada fácilmente para realizar cambios en el cluster, las peticiones en vuelo o los servicios backend, pero podría ser usado para apagar o drenar Envoy, cambiar el enrutamiento del tráfico o recuperar metadatos secretos, como se ha mencionado anteriormente. El problema se abordará en Contour versión v1.18.0 y ha sido lanzado una versión de parche, versión v1.17.1, para cubrir a usuarios que no pueden actualizar en este momento. Para más detalles, consulte el aviso de seguridad de GitHub
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-12 CVE Reserved
- 2021-07-23 CVE Published
- 2023-03-14 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
- CWE-610: Externally Controlled Reference to a Resource in Another Sphere
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/projectcontour/contour/releases/tag/v1.17.1 | Release Notes | |
| https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/projectcontour/contour/commit/b53a5c4fd927f4ea2c6cf02f1359d8e28bef852e | 2021-08-05 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Projectcontour Search vendor "Projectcontour" | Contour Search vendor "Projectcontour" for product "Contour" | < 1.17.1 Search vendor "Projectcontour" for product "Contour" and version " < 1.17.1" | kubernetes |
Affected
| ||||||