CNCF Envoy through 1.13.0 has incorrect Access Control when using SDS with Combined Validation Context. Using the same secret (e.g. trusted CA) across many resources together with the combined validation context could lead to the “static” part of the validation context to be not applied, even though it was visible in the active config dump.
References
Link | Resource |
---|---|
https://access.redhat.com/errata/RHSA-2020:0734 | Third Party Advisory |
https://github.com/envoyproxy/envoy/security/advisories/GHSA-3x9m-pgmg-xpx8 | Third Party Advisory |
https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history | Release Notes Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2020-03-04T20:53:13
Updated: 2020-03-11T11:06:33
Reserved: 2020-02-06T00:00:00
Link: CVE-2020-8664
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-03-04T21:15:11.497
Modified: 2021-07-21T11:39:23.747
Link: CVE-2020-8664
JSON object: View
Redhat Information
No data.
CWE