Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., something/../admin, to bypass access control, e.g., a block on /admin. A backend server could then interpret the non-normalized path and provide an attacker access beyond the scope provided for by the access control policy.
References
Link | Resource |
---|---|
https://github.com/envoyproxy/envoy/issues/6435 | Mitigation Issue Tracking Third Party Advisory |
https://github.com/envoyproxy/envoy/security/advisories/GHSA-xcx5-93pw-jw2w | |
https://groups.google.com/forum/#%21topic/envoy-announce/VoHfnDqZiAM | |
https://www.envoyproxy.io/docs/envoy/v1.9.1/intro/version_history | Release Notes Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-04-25T15:31:19
Updated: 2019-11-12T13:40:31
Reserved: 2019-03-21T00:00:00
Link: CVE-2019-9901
JSON object: View
NVD Information
Status : Modified
Published: 2019-04-25T16:29:01.200
Modified: 2023-11-07T03:13:48.590
Link: CVE-2019-9901
JSON object: View
Redhat Information
No data.
CWE