CVE-2021-21378Improper Authentication in Envoy

CWE-287Improper AuthenticationCWE-303Incorrect Implementation of Authentication Algorithm2 documents2 sources
Severity
8.2HIGHNVD
EPSS
0.4%
top 37.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Envoyproxy Envoy
Timeline
Latest updateMar 1
PublishedMar 11

Description

Envoy is a cloud-native high-performance edge/middle/service proxy. In Envoy version 1.17.0 an attacker can bypass authentication by presenting a JWT token with an issuer that is not in the provider list when Envoy's JWT Authentication filter is configured with the `allow_missing` requirement under `requires_any` due to a mistake in implementation. Envoy's JWT Authentication filter can be configured with the `allow_missing` requirement that will be satisfied if JWT is missing (JwtMissed error) a

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NExploitability: 3.9 | Impact: 4.2

Affected Packages2 packages

CVEListV5envoyproxy/envoy= 1.17.0
NVDenvoyproxy/envoy1.17.0

Patches

Patch: github.comPatch: github.comPatch: github.com

📋Vendor Advisories

1
Red Hat
envoyproxy/envoy: JWT validation bypass when allow_missing is used2021-03-01
CVE-2021-21378 — Improper Authentication in Envoy | cvebase