CVE-2023-35941

Envoy vulnerable to OAuth2 credentials exploit with permanent validity

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

NVD
RedHat

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios in which HMAC payload can be always valid in OAuth2 filter's check. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, avoid wildcards/prefix domain wildcards in the host's domain configuration.

A flaw was found in Envoy, where a malicious client can construct credentials with permanent validity in a specific scenario. This issue is caused by some rare scenarios, such as the combination of host and expiration time, in which the HMAC payload can always be valid in the OAuth2 filter's HMAC check.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-06-20 CVE Reserved
2023-07-25 CVE Published
2024-08-26 EPSS Updated
2024-10-24 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-116: Improper Encoding or Escaping of Output
CWE-303: Incorrect Implementation of Authentication Algorithm

CAPEC

References (3)

URL	Tag	Source
https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-35941	2023-09-14
https://bugzilla.redhat.com/show_bug.cgi?id=2217977	2023-09-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.23.0 < 1.23.12 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.23.0 < 1.23.12"		-		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.24.0 < 1.24.10 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.24.0 < 1.24.10"		-		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.25.0 < 1.25.9 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.25.0 < 1.25.9"		-		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.26.0 < 1.26.4 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.26.0 < 1.26.4"		-		Affected