CVE-2019-9901
published 2019-04-25CVE-2019-9901: Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., something/../admin, to bypass access control…
PriorityP359critical10CVSS 3.0
AVNACLPRNUINSCCHIHAH
EPSS
2.68%
83.9th percentile
Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., something/../admin, to bypass access control, e.g., a block on /admin. A backend server could then interpret the non-normalized path and provide an attacker access beyond the scope provided for by the access control policy.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| envoyproxy | envoy | <= 1.9.0 | — |
| github.com | envoyproxy_envoy | >= 0 < 1.9.1 | 1.9.1 |
CVSS provenance
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
EnvoyProxy Envoy Missing HTTP URL path normalization
ghsa·2022-05-24
CVE-2019-9901 [CRITICAL] CWE-706 EnvoyProxy Envoy Missing HTTP URL path normalization
EnvoyProxy Envoy Missing HTTP URL path normalization
Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., `something/../admin`, to bypass access control, e.g., a block on `/admin`. A backend server could then interpret the non-normalized path and provide an attacker access beyond the scope provided for by the access control policy.
OSV
EnvoyProxy Envoy Missing HTTP URL path normalization
osv·2022-05-24
CVE-2019-9901 [CRITICAL] EnvoyProxy Envoy Missing HTTP URL path normalization
EnvoyProxy Envoy Missing HTTP URL path normalization
Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., `something/../admin`, to bypass access control, e.g., a block on `/admin`. A backend server could then interpret the non-normalized path and provide an attacker access beyond the scope provided for by the access control policy.
Red Hat
istio/envoy: Path traversal via URL Patch manipulation in HTTP/1.x header
vendor_redhat·2019-04-05·CVSS 6.5
CVE-2019-9901 [MEDIUM] CWE-20 istio/envoy: Path traversal via URL Patch manipulation in HTTP/1.x header
istio/envoy: Path traversal via URL Patch manipulation in HTTP/1.x header
Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., something/../admin, to bypass access control, e.g., a block on /admin. A backend server could then interpret the non-normalized path and provide an attacker access beyond the scope provided for by the access control policy.
A flaw was found in Envoy version 1.9.0 and older, where Envoy does not normalize HTTP URL paths. This flaw allows a remote attacker to craft a path with a relative path and to bypass access control. This issue results in a backend server with the ability to interpret the unnormalized path.
No detection rules found.
No public exploits indexed.
https://github.com/envoyproxy/envoy/issues/6435https://github.com/envoyproxy/envoy/security/advisories/GHSA-xcx5-93pw-jw2whttps://groups.google.com/forum/#%21topic/envoy-announce/VoHfnDqZiAMhttps://www.envoyproxy.io/docs/envoy/v1.9.1/intro/version_historyhttps://github.com/envoyproxy/envoy/issues/6435https://github.com/envoyproxy/envoy/security/advisories/GHSA-xcx5-93pw-jw2whttps://groups.google.com/forum/#%21topic/envoy-announce/VoHfnDqZiAMhttps://www.envoyproxy.io/docs/envoy/v1.9.1/intro/version_history
2019-04-25
Published