Vulnerability Name:

CVE-2021-29492 (CCN-202794)

Assigned:2021-05-11
Published:2021-05-11
Updated:2021-12-10
Summary:Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control, e.g. a block on `/admin`. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy. ### Impact Escalation of Privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret `%2F` and `/` and `%5C` and `\` interchangeably are impacted. ### Attack Vector URL paths containing escaped slash characters delivered by untrusted client. Patches in versions 1.18.3, 1.17.3, 1.16.4, 1.15.5 contain new path normalization option to decode escaped slash characters. As a workaround, if back end servers treat `%2F` and `/` and `%5C` and `\` interchangeably and a URL path based access control is configured, one may reconfigure the back end server to not treat `%2F` and `/` and `%5C` and `\` interchangeably.
CVSS v3 Severity:8.3 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L)
7.2 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Complete
Availibility (A): None
Vulnerability Type:CWE-22
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2021-29492

Source: XF
Type: UNKNOWN
envoyproxy-cve202129492-sec-bypass(202794)

Source: CCN
Type: Envoy GIT Repository
Bypass of path matching rules using escaped slash characters

Source: CONFIRM
Type: Mitigation, Third Party Advisory
https://github.com/envoyproxy/envoy/security/advisories/GHSA-4987-27fx-x6cf

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-29492

Vulnerable Configuration:Configuration 1:
  • cpe:/a:envoyproxy:envoy:*:*:*:*:*:*:*:* (Version < 1.15.5)
  • OR cpe:/a:envoyproxy:envoy:*:*:*:*:*:*:*:* (Version >= 1.16.0 and < 1.16.4)
  • OR cpe:/a:envoyproxy:envoy:*:*:*:*:*:*:*:* (Version >= 1.17.0 and < 1.17.3)
  • OR cpe:/a:envoyproxy:envoy:*:*:*:*:*:*:*:* (Version >= 1.18.0 and < 1.18.3)

    • Configuration CCN 1:
  • cpe:/a:envoyproxy:envoy:1.15.4:*:*:*:*:*:*:*
  • OR cpe:/a:envoyproxy:envoy:1.16.3:*:*:*:*:*:*:*
  • OR cpe:/a:envoyproxy:envoy:1.17.2:*:*:*:*:*:*:*
  • OR cpe:/a:envoyproxy:envoy:1.18.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    envoyproxy envoy *
    envoyproxy envoy *
    envoyproxy envoy *
    envoyproxy envoy *
    envoyproxy envoy 1.15.4
    envoyproxy envoy 1.16.3
    envoyproxy envoy 1.17.2
    envoyproxy envoy 1.18.2