CVE-2021-29492
published 2021-05-28CVE-2021-29492: Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and…
PriorityP267high8.3CVSS 3.1
AVNACLPRNUINSCCLILAL
EPSS
68.38%
99.2th percentile
Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control, e.g. a block on `/admin`. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy. ### Impact Escalation of Privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret `%2F` and `/` and `%5C` and `\` interchangeably are impacted. ### Attack Vector URL paths containing escaped slash characters delivered by untrusted client. Patches in versions 1.18.3, 1.17.3, 1.16.4, 1.15.5 contain new path normalization option to decode escaped slash characters. As a workaround, if back end servers treat `%2F` and `/` and `%5C` and `\` interchangeably and a URL path based access control is configured, one may reconfigure the back end server to not treat `%2F` and `/` and `%5C` and `\` interchangeably.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| envoyproxy | envoy | < 1.15.5 | 1.15.5 |
| envoyproxy | envoy | <= 1.18.2 | — |
| envoyproxy | envoy | >= 1.16.0 < 1.16.4 | 1.16.4 |
| envoyproxy | envoy | >= 1.17.0 < 1.17.3 | 1.17.3 |
| envoyproxy | envoy | >= 1.18.0 < 1.18.3 | 1.18.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP requests containing percent-encoded slash sequences (%2F, %2f, %5C, %5c) in the URI path, which may indicate an attempt to bypass path-based authorization rules in Envoy or Istio. ↗
- →Flag HTTP requests with path traversal patterns using encoded slashes (e.g., %2F..%2F) targeting sensitive paths such as /admin, as these may bypass RBAC or JWT filter enforcement in Envoy. ↗
- →Monitor for HTTP requests with multiple slashes or escaped slash characters (%2F or %5C) in URI paths in Istio environments using path-based authorization policies. ↗
- ·Envoy versions 1.18.2 and before are vulnerable; patches introducing a new path normalization option to decode escaped slash characters are available in versions 1.18.3, 1.17.3, 1.16.4, and 1.15.5. ↗
- ·The vulnerability specifically impacts deployments using RBAC or JWT filters with URL path-based enforcement in Envoy, and path-based authorization rules in Istio before 1.8.6 / 1.9.x before 1.9.5. ↗
- ·The attack surface only exists when backend servers treat %2F and / and %5C and \ interchangeably; reconfiguring backends to not treat them interchangeably is a viable workaround. ↗
CVSS provenance
nvdv3.18.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
istio/istio: HTTP request with escaped slash characters can bypass authorization mechanisms
vendor_redhat·2021-05-11·CVSS 8.1
CVE-2021-31920 [HIGH] CWE-863 istio/istio: HTTP request with escaped slash characters can bypass authorization mechanisms
istio/istio: HTTP request with escaped slash characters can bypass authorization mechanisms
Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used.
An authorization bypass flaw was found in Istio. This flaw allows an attacker to craft an HTTP request that defines a certain pattern of escaped characters in the URI path (such as %2F, %2f, %5C, or %5c), allowing them to bypass the authorization service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Statement: This CVE addresses the specific fixes required i
Red Hat
envoyproxy/envoy: HTTP request with escaped slash characters can bypass Envoy's authorization mechanisms
vendor_redhat·2021-05-11·CVSS 8.1
CVE-2021-29492 [HIGH] CWE-863 envoyproxy/envoy: HTTP request with escaped slash characters can bypass Envoy's authorization mechanisms
envoyproxy/envoy: HTTP request with escaped slash characters can bypass Envoy's authorization mechanisms
Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control, e.g. a block on `/admin`. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy. ### Impact Escalation of Privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret `%2F` and `/` and `%5C` and `\` interchangeably are impacted. ### Attack Vector URL
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-05-28
Published