CVE-2019-9901 Information

Description

Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path e.g. something/../admin to bypass access control e.g. a block on /admin. A backend server could then interpret the non-normalized path and provide an attacker access beyond the scope provided for by the access control policy.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Reference

https://github.com/envoyproxy/envoy/issues/6435 https://github.com/envoyproxy/envoy/security/advisories/GHSA-xcx5-93pw-jw2w https://groups.google.com/forum/!topic/envoy-announce/VoHfnDqZiAM https://www.envoyproxy.io/docs/envoy/v1.9.1/intro/version_history

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

10.0