CVE-2019-9901 — Use of Incorrectly-Resolved Name or Reference in Envoyproxy Envoy

CWE-706 — Use of Incorrectly-Resolved Name or Reference CWE-20 — Improper Input Validation5 documents5 sources

Severity

10.0CRITICALNVD

EPSS

0.1%

top 74.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Envoyproxy Envoy Envoyproxy Envoy

Timeline

PublishedApr 25

Latest updateMay 24

Description

Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., something/../admin, to bypass access control, e.g., a block on /admin. A backend server could then interpret the non-normalized path and provide an attacker access beyond the scope provided for by the access control policy.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages2 packages

▶Gogithub.com/envoyproxy_envoy< 1.9.1

▶NVDenvoyproxy/envoy1.9.0

🔴Vulnerability Details

GHSA

EnvoyProxy Envoy Missing HTTP URL path normalization↗2022-05-24

▶

OSV

EnvoyProxy Envoy Missing HTTP URL path normalization↗2022-05-24

▶

📋Vendor Advisories

Red Hat

istio/envoy: Path traversal via URL Patch manipulation in HTTP/1.x header↗2019-04-05

▶

💬Community

Bugzilla

CVE-2019-9901 istio/envoy: Path traversal via URL Patch manipulation in HTTP/1.x header↗2019-04-09

▶