CVE-2021-32779Incorrect Behavior Order: Authorization Before Parsing and Canonicalization in Envoy

CWE-551Incorrect Behavior Order: Authorization Before Parsing and CanonicalizationCWE-863Incorrect AuthorizationCWE-697Incorrect Comparison5 documents4 sources
Severity
8.6HIGHNVD
NVD8.3GHSA8.3OSV8.3
EPSS
0.0%
top 89.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Pomerium PomeriumEnvoyproxy EnvoyPomerium
Timeline
PublishedAug 24
Latest updateSep 10

Description

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy incorrectly handled a URI '#fragment' element as part of the path element. Envoy is configured with an RBAC filter for authorization or similar mechanism with an explicit case of a final "/admin" path element, or is using a negative assertion with final path element of "/admin". The client sends request to "/app1/admin#foo". In Envoy prior to 1.18.0, or 1.18

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.7

Affected Packages4 packages

NVDenvoyproxy/envoy1.17.01.17.4+4
CVEListV5envoyproxy/envoy4 versions+3
NVDpomerium/pomerium0.11.00.14.8+1
Gogithub.com/pomerium_pomerium0.11.00.14.8+1

🔴Vulnerability Details

2
OSV
Incorrect Authorization with specially crafted requests2021-09-10
GHSA
Incorrect Authorization with specially crafted requests2021-09-10

📋Vendor Advisories

1
Red Hat
envoyproxy/envoy: HTTP request with a URL fragment in the URI can bypass authorization policies2021-08-24
CVE-2021-32779 — Envoyproxy Envoy vulnerability | cvebase