CVE-2021-36371 - OpenCVE

Emissary-Ingress (formerly Ambassador API Gateway) through 1.13.9 allows attackers to bypass client certificate requirements (i.e., mTLS cert_required) on backend upstreams when more than one TLSContext is defined and at least one configuration exists that does not require client certificate authentication. The attacker must send an SNI specifying an unprotected backend and an HTTP Host header specifying a protected backend. (2.x versions are unaffected. 1.x versions are unaffected with certain configuration settings involving prune_unreachable_routes and a wildcard Host resource.)

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Getambassador	Emissary-ingress

Configuration 1 [-]

cpe:2.3:a:getambassador:emissary-ingress:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/emissary-ingress/emissary/issues/3340	Exploit Third Party Advisory
https://github.com/emissary-ingress/emissary/releases/tag/v2.0.0-ea	Release Notes Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-07-09T20:19:45

Updated: 2021-07-12T19:21:53

Reserved: 2021-07-09T00:00:00

Link: CVE-2021-36371

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-07-09T21:15:08.583

Modified: 2021-07-14T14:57:33.607

Link: CVE-2021-36371

JSON object: View

Redhat Information

No data.

CWE

CWE-295

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Emissary-Ingress (formerly Ambassador API Gateway) through 1.13.9 allows attackers to bypass client certificate requirements (i.e., mTLS cert_required) on backend upstreams when more than one TLSContext is defined and at least one configuration exists that does not require client certificate authentication. The attacker must send an SNI specifying an unprotected backend and an HTTP Host header specifying a protected backend. (2.x versions are unaffected. 1.x versions are unaffected with certain configuration settings involving prune_unreachable_routes and a wildcard Host resource.)"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-07-12T19:21:53", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/emissary-ingress/emissary/issues/3340"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/emissary-ingress/emissary/releases/tag/v2.0.0-ea"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-36371", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Emissary-Ingress (formerly Ambassador API Gateway) through 1.13.9 allows attackers to bypass client certificate requirements (i.e., mTLS cert_required) on backend upstreams when more than one TLSContext is defined and at least one configuration exists that does not require client certificate authentication. The attacker must send an SNI specifying an unprotected backend and an HTTP Host header specifying a protected backend. (2.x versions are unaffected. 1.x versions are unaffected with certain configuration settings involving prune_unreachable_routes and a wildcard Host resource.)"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/emissary-ingress/emissary/issues/3340", "refsource": "MISC", "url": "https://github.com/emissary-ingress/emissary/issues/3340"}, {"name": "https://github.com/emissary-ingress/emissary/releases/tag/v2.0.0-ea", "refsource": "MISC", "url": "https://github.com/emissary-ingress/emissary/releases/tag/v2.0.0-ea"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-36371", "datePublished": "2021-07-09T20:19:45", "dateReserved": "2021-07-09T00:00:00", "dateUpdated": "2021-07-12T19:21:53", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getambassador:emissary-ingress:*:*:*:*:*:*:*:*", "matchCriteriaId": "4B2281C9-BA17-4B88-A762-3CA71940E3A5", "versionEndIncluding": "1.13.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Emissary-Ingress (formerly Ambassador API Gateway) through 1.13.9 allows attackers to bypass client certificate requirements (i.e., mTLS cert_required) on backend upstreams when more than one TLSContext is defined and at least one configuration exists that does not require client certificate authentication. The attacker must send an SNI specifying an unprotected backend and an HTTP Host header specifying a protected backend. (2.x versions are unaffected. 1.x versions are unaffected with certain configuration settings involving prune_unreachable_routes and a wildcard Host resource.)"}, {"lang": "es", "value": "Emissary-Ingress (antes Ambassador API Gateway) hasta la versi\u00f3n 1.13.9 permite a los atacantes eludir los requisitos de certificado del cliente (es decir, mTLS cert_required) en los flujos ascendentes del backend cuando se define m\u00e1s de un TLSContext y existe al menos una configuraci\u00f3n que no requiere autenticaci\u00f3n de certificado del cliente. El atacante debe enviar un SNI especificando un backend no protegido y una cabecera HTTP Host especificando un backend protegido. (Las versiones 2.x no se ven afectadas. Las versiones 1.x no se ven afectadas con ciertos ajustes de configuraci\u00f3n que implican prune_unreachable_routes y un recurso Host comod\u00edn)"}], "id": "CVE-2021-36371", "lastModified": "2021-07-14T14:57:33.607", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-07-09T21:15:08.583", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/emissary-ingress/emissary/issues/3340"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/emissary-ingress/emissary/releases/tag/v2.0.0-ea"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}