CVE-2020-11767Sensitive Information Exposure in Envoy

CWE-200Sensitive Information Exposure4 documents4 sources
Severity
3.1LOWNVD
EPSS
0.1%
top 75.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Envoyproxy EnvoyIstio
Timeline
PublishedApr 15
Latest updateMay 24

Description

Istio through 1.5.1 and Envoy through 1.14.1 have a data-leak issue. If there is a TCP connection (negotiated with SNI over HTTPS) to *.example.com, a request for a domain concurrently configured explicitly (e.g., abc.example.com) is sent to the server(s) listening behind *.example.com. The outcome should instead be 421 Misdirected Request. Imagine a shared caching forward proxy re-using an HTTP/2 connection for a large subnet with many users. If a victim is interacting with abc.example.com, and

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages2 packages

NVDenvoyproxy/envoy1.14.1
NVDistio/istio1.5.1

🔴Vulnerability Details

1
GHSA
GHSA-hvwr-mw2m-chj3: Istio through 12022-05-24

📋Vendor Advisories

1
Red Hat
istio/envoy: forward proxy between the victim and the origin leads to information disclosure2020-04-14

💬Community

1
Bugzilla
CVE-2020-11767 istio/envoy: forward proxy between the victim and the origin leads to information disclosure2020-06-18
CVE-2020-11767 — Sensitive Information Exposure | cvebase