cbcvebase.
CVE-2021-29492
published 2021-05-28

CVE-2021-29492: Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and…

PriorityP267high8.3CVSS 3.1
AVNACLPRNUINSCCLILAL
EPSS
68.38%
99.2th percentile
Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control, e.g. a block on `/admin`. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy. ### Impact Escalation of Privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret `%2F` and `/` and `%5C` and `\` interchangeably are impacted. ### Attack Vector URL paths containing escaped slash characters delivered by untrusted client. Patches in versions 1.18.3, 1.17.3, 1.16.4, 1.15.5 contain new path normalization option to decode escaped slash characters. As a workaround, if back end servers treat `%2F` and `/` and `%5C` and `\` interchangeably and a URL path based access control is configured, one may reconfigure the back end server to not treat `%2F` and `/` and `%5C` and `\` interchangeably.

Affected

5 ranges
VendorProductVersion rangeFixed in
envoyproxyenvoy< 1.15.51.15.5
envoyproxyenvoy<= 1.18.2
envoyproxyenvoy>= 1.16.0 < 1.16.41.16.4
envoyproxyenvoy>= 1.17.0 < 1.17.31.17.3
envoyproxyenvoy>= 1.18.0 < 1.18.31.18.3

Detection & IOCsextracted from sources · hover to see the quote

url/something%2F..%2Fadmin
  • Detect HTTP requests containing percent-encoded slash sequences (%2F, %2f, %5C, %5c) in the URI path, which may indicate an attempt to bypass path-based authorization rules in Envoy or Istio.
  • Flag HTTP requests with path traversal patterns using encoded slashes (e.g., %2F..%2F) targeting sensitive paths such as /admin, as these may bypass RBAC or JWT filter enforcement in Envoy.
  • Monitor for HTTP requests with multiple slashes or escaped slash characters (%2F or %5C) in URI paths in Istio environments using path-based authorization policies.
  • ·Envoy versions 1.18.2 and before are vulnerable; patches introducing a new path normalization option to decode escaped slash characters are available in versions 1.18.3, 1.17.3, 1.16.4, and 1.15.5.
  • ·The vulnerability specifically impacts deployments using RBAC or JWT filters with URL path-based enforcement in Envoy, and path-based authorization rules in Istio before 1.8.6 / 1.9.x before 1.9.5.
  • ·The attack surface only exists when backend servers treat %2F and / and %5C and \ interchangeably; reconfiguring backends to not treat them interchangeably is a viable workaround.

CVSS provenance

nvdv3.18.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.