CVE-2019-9900 — Injection in Envoy

CWE-74 — Injection CWE-20 — Improper Input Validation5 documents5 sources

Severity

8.3HIGHNVD

EPSS

0.0%

top 90.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Envoyproxy Envoy

Timeline

PublishedApr 25

Latest updateMay 24

Description

When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.7

Affected Packages1 packages

▶NVDenvoyproxy/envoy1.9.0

🔴Vulnerability Details

GHSA

GHSA-h9r7-c397-3wqr: When parsing HTTP/1↗2022-05-24

▶

📋Vendor Advisories

Red Hat

istio/envoy: Authorization bypass via null characters injection in HTTP/1.x↗2019-04-05

▶

💬Community

HackerOne

Vulnerability in http-parser & embedded NULL header handling↗2020-02-13

▶

Bugzilla

CVE-2019-9900 istio/envoy: Authorization bypass via null characters injection in HTTP/1.x↗2019-04-09

▶