CVE-2019-9900
published 2019-04-25CVE-2019-9900: When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting…
PriorityP347high8.3CVSS 3.1
AVNACLPRNUINSCCLILAL
EPSS
3.73%
88.5th percentile
When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| envoyproxy | envoy | <= 1.9.0 | — |
CVSS provenance
nvdv3.18.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat8.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
istio/envoy: Authorization bypass via null characters injection in HTTP/1.x
vendor_redhat·2019-04-05·CVSS 8.3
CVE-2019-9900 [HIGH] CWE-20 istio/envoy: Authorization bypass via null characters injection in HTTP/1.x
istio/envoy: Authorization bypass via null characters injection in HTTP/1.x
When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources.
A flaw was found in Envoy version 1.9.0 and older, where Envoy does not reject embedded zero characters (NUL, ASCII 0x0) when processing HTTP/1.x header values. This flaw allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources.
GHSA
GHSA-h9r7-c397-3wqr: When parsing HTTP/1
ghsa_unreviewed·2022-05-24
CVE-2019-9900 [HIGH] CWE-20 GHSA-h9r7-c397-3wqr: When parsing HTTP/1
When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources.
No detection rules found.
No public exploits indexed.
HackerOne
Vulnerability in http-parser & embedded NULL header handling
hackerone·2020-02-13·CVSS 8.3
[HIGH] Vulnerability in http-parser & embedded NULL header handling
Vulnerability in http-parser & embedded NULL header handling
Due to a snafu in how [email protected] is setup to forward (see https://github.com/envoyproxy/envoy/issues/5155), the following bug report was not made available prior to disclosure. For completeness, I'm providing the original e-mail below.
Please note that this has been fixed in http-parser since disclosures. I understand that Node has moved away from http-parser, but this might affect Node.JS LTS for earlier versions. See https://github.com/nodejs/http-parser/issues/468 for the fix.
Rather than file a full report, I would like to share with Node.JS security WG the following resources:
* Envoy CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900
* Envoy GH issue with CVE details: https://github.com/envoypro
Bugzilla
CVE-2019-9900 istio/envoy: Authorization bypass via null characters injection in HTTP/1.x
bugzilla·2019-04-09·CVSS 8.3
CVE-2019-9900 [HIGH] CVE-2019-9900 istio/envoy: Authorization bypass via null characters injection in HTTP/1.x
CVE-2019-9900 istio/envoy: Authorization bypass via null characters injection in HTTP/1.x
A flaw was found in Envoy 1.9.0 and older. When parsing HTTP/1.x header values, Envoy does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources.
Upstream issue:
https://github.com/envoyproxy/envoy/issues/6434
References:
https://istio.io/blog/2019/announcing-1.1.2/
Discussion:
Acknowledgments:
Name: the Envoy security team
---
This issue has been addressed in the following products:
OpenShift Service Mesh Tech Preview
Via RHSA-2019:0741 https://access.redhat.com/errata/RHSA-2019:0741
---
This bug is now closed. Furth
https://access.redhat.com/errata/RHSA-2019:0741https://github.com/envoyproxy/envoy/issues/6434https://github.com/envoyproxy/envoy/security/advisories/GHSA-x74r-f4mw-c32hhttps://groups.google.com/forum/#%21topic/envoy-announce/VoHfnDqZiAMhttps://www.envoyproxy.io/docs/envoy/v1.9.1/intro/version_historyhttps://access.redhat.com/errata/RHSA-2019:0741https://github.com/envoyproxy/envoy/issues/6434https://github.com/envoyproxy/envoy/security/advisories/GHSA-x74r-f4mw-c32hhttps://groups.google.com/forum/#%21topic/envoy-announce/VoHfnDqZiAMhttps://www.envoyproxy.io/docs/envoy/v1.9.1/intro/version_history
2019-04-25
Published