cbcvebase.
CVE-2022-21657
published 2022-02-22

CVE-2022-21657: Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions Envoy does not restrict the set of certificates it…

PriorityP434medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.51%
39.5th percentile
Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS server, to only those certificates that contain the necessary extendedKeyUsage (id-kp-serverAuth and id-kp-clientAuth, respectively). This means that a peer may present an e-mail certificate (e.g. id-kp-emailProtection), either as a leaf certificate or as a CA in the chain, and it will be accepted for TLS. This is particularly bad when combined with the issue described in pull request #630, in that it allows a Web PKI CA that is intended only for use with S/MIME, and thus exempted from audit or supervision, to issue TLS certificates that will be accepted by Envoy. As a result Envoy will trust upstream certificates that should not be trusted. There are no known workarounds to this issue. Users are advised to upgrade.

Affected

6 ranges
VendorProductVersion rangeFixed in
envoyproxyenvoy< 1.18.61.18.6
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy>= 1.19.0 < 1.19.31.19.3
envoyproxyenvoy>= 1.20.0 < 1.20.21.20.2
github.compomerium_pomerium>= 0 < 0.16.40.16.4

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
ghsa7.5HIGH
osv7.5HIGH
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.