{"containers": {"cna": {"affected": [{"product": "envoy", "vendor": "envoyproxy", "versions": [{"status": "affected", "version": ">= 1.19.0, < 1.19.1"}, {"status": "affected", "version": ">= 1.18.0, < 1.18.4"}, {"status": "affected", "version": ">= 1.17.0, < 1.17.4"}, {"status": "affected", "version": ">= 1.16.0, < 1.16.5"}]}], "descriptions": [{"lang": "en", "value": "Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy incorrectly handled a URI '#fragment' element as part of the path element. Envoy is configured with an RBAC filter for authorization or similar mechanism with an explicit case of a final \"/admin\" path element, or is using a negative assertion with final path element of \"/admin\". The client sends request to \"/app1/admin#foo\". In Envoy prior to 1.18.0, or 1.18.0+ configured with path_normalization=false. Envoy treats fragment as a suffix of the query string when present, or as a suffix of the path when query string is absent, so it evaluates the final path element as \"/admin#foo\" and mismatches with the configured \"/admin\" path element. In Envoy 1.18.0+ configured with path_normalization=true. Envoy transforms this to /app1/admin%23foo and mismatches with the configured /admin prefix. The resulting URI is sent to the next server-agent with the offending \"#foo\" fragment which violates RFC3986 or with the nonsensical \"%23foo\" text appended. A specifically constructed request with URI containing '#fragment' element delivered by an untrusted client in the presence of path based request authorization resulting in escalation of Privileges when path based request authorization extensions. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes that removes fragment from URI path in incoming requests."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-551", "description": "CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-24T20:45:09", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.envoyproxy.io/docs/envoy/v1.19.0/version_history/version_history"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-r222-74fw-jqr9"}], "source": {"advisory": "GHSA-r222-74fw-jqr9", "discovery": "UNKNOWN"}, "title": "Incorrectly handling of URI '#fragment' element as part of the path element", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32779", "STATE": "PUBLIC", "TITLE": "Incorrectly handling of URI '#fragment' element as part of the path element"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "envoy", "version": {"version_data": [{"version_value": ">= 1.19.0, < 1.19.1"}, {"version_value": ">= 1.18.0, < 1.18.4"}, {"version_value": ">= 1.17.0, < 1.17.4"}, {"version_value": ">= 1.16.0, < 1.16.5"}]}}]}, "vendor_name": "envoyproxy"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy incorrectly handled a URI '#fragment' element as part of the path element. Envoy is configured with an RBAC filter for authorization or similar mechanism with an explicit case of a final \"/admin\" path element, or is using a negative assertion with final path element of \"/admin\". The client sends request to \"/app1/admin#foo\". In Envoy prior to 1.18.0, or 1.18.0+ configured with path_normalization=false. Envoy treats fragment as a suffix of the query string when present, or as a suffix of the path when query string is absent, so it evaluates the final path element as \"/admin#foo\" and mismatches with the configured \"/admin\" path element. In Envoy 1.18.0+ configured with path_normalization=true. Envoy transforms this to /app1/admin%23foo and mismatches with the configured /admin prefix. The resulting URI is sent to the next server-agent with the offending \"#foo\" fragment which violates RFC3986 or with the nonsensical \"%23foo\" text appended. A specifically constructed request with URI containing '#fragment' element delivered by an untrusted client in the presence of path based request authorization resulting in escalation of Privileges when path based request authorization extensions. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes that removes fragment from URI path in incoming requests."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"}]}, {"description": [{"lang": "eng", "value": "CWE-863: Incorrect Authorization"}]}]}, "references": {"reference_data": [{"name": "https://www.envoyproxy.io/docs/envoy/v1.19.0/version_history/version_history", "refsource": "MISC", "url": "https://www.envoyproxy.io/docs/envoy/v1.19.0/version_history/version_history"}, {"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-r222-74fw-jqr9", "refsource": "CONFIRM", "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-r222-74fw-jqr9"}]}, "source": {"advisory": "GHSA-r222-74fw-jqr9", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:33:55.667Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.envoyproxy.io/docs/envoy/v1.19.0/version_history/version_history"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-r222-74fw-jqr9"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32779", "datePublished": "2021-08-24T20:45:09", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:33:55.667Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "AFC3BF7F-5B28-4765-8C6F-E2437A4B425D", "versionEndExcluding": "1.16.5", "versionStartIncluding": "1.16.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "83547329-1394-417F-93DB-70C1A9D173B0", "versionEndExcluding": "1.17.4", "versionStartIncluding": "1.17.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "D7376E28-9915-4CA1-A5DB-40874D10E781", "versionEndExcluding": "1.18.4", "versionStartIncluding": "1.18.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:1.19.0:*:*:*:*:*:*:*", "matchCriteriaId": "1968AA35-60E2-4A00-84A0-617738B55D33", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy incorrectly handled a URI '#fragment' element as part of the path element. Envoy is configured with an RBAC filter for authorization or similar mechanism with an explicit case of a final \"/admin\" path element, or is using a negative assertion with final path element of \"/admin\". The client sends request to \"/app1/admin#foo\". In Envoy prior to 1.18.0, or 1.18.0+ configured with path_normalization=false. Envoy treats fragment as a suffix of the query string when present, or as a suffix of the path when query string is absent, so it evaluates the final path element as \"/admin#foo\" and mismatches with the configured \"/admin\" path element. In Envoy 1.18.0+ configured with path_normalization=true. Envoy transforms this to /app1/admin%23foo and mismatches with the configured /admin prefix. The resulting URI is sent to the next server-agent with the offending \"#foo\" fragment which violates RFC3986 or with the nonsensical \"%23foo\" text appended. A specifically constructed request with URI containing '#fragment' element delivered by an untrusted client in the presence of path based request authorization resulting in escalation of Privileges when path based request authorization extensions. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes that removes fragment from URI path in incoming requests."}, {"lang": "es", "value": "Envoy es un proxy L7 de c\u00f3digo abierto y un bus de comunicaci\u00f3n dise\u00f1ado para grandes arquitecturas modernas orientadas a servicios. En las versiones afectadas, Envoy manejaba inapropiadamente un elemento URI \"#fragment\" como parte del elemento path. Envoy est\u00e1 configurado con un filtro RBAC para la autorizaci\u00f3n o un mecanismo similar con un caso expl\u00edcito de un elemento de ruta final \"/admin\", o est\u00e1 usando una aserci\u00f3n negativa con un elemento de ruta final de \"/admin\". El cliente env\u00eda la petici\u00f3n a \"/app1/admin#foo\". En Envoy versiones anteriores a 1.18.0, o 1.18.0+ configurado con path_normalization=false. Envoy trata el fragmento como un sufijo de la cadena de consulta cuando est\u00e1 presente, o como un sufijo de la ruta cuando la cadena de consulta est\u00e1 ausente, por lo que eval\u00faa el elemento final de la ruta como \"/admin#foo\" y no coincide con el elemento configurado de la ruta \"/admin\". En Envoy 1.18.0+ configurado con path_normalization=true. Envoy transforma esto en /app1/admin%23foo y no coincide con el prefijo /admin configurado. El URI resultante es enviado al siguiente agente-servidor con el fragmento \"#foo\" que viola la RFC3986 o con el texto sin sentido \"%23foo\" a\u00f1adido. Una petici\u00f3n espec\u00edficamente construida con un URI que contiene el elemento \"#fragment\" entregado por un cliente no confiable en presencia de una autorizaci\u00f3n de petici\u00f3n basada en la ruta de acceso, resultando en una escalada de Privilegios cuando las extensiones de autorizaci\u00f3n de peticiones son basadas en la ruta de acceso. Envoy versiones 1.19.1, 1.18.4, 1.17.4 y 1.16.5, contienen correcciones que eliminan el fragmento de la ruta URI en las peticiones entrantes."}], "id": "CVE-2021-32779", "lastModified": "2024-11-21T06:07:43.463", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-24T21:15:09.823", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-r222-74fw-jqr9"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://www.envoyproxy.io/docs/envoy/v1.19.0/version_history/version_history"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-r222-74fw-jqr9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.envoyproxy.io/docs/envoy/v1.19.0/version_history/version_history"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-551"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-697"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Envoy Security Team for reporting this issue.", "affected_release": [{"advisory": "RHSA-2021:3273", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "package": "servicemesh-proxy-0:1.1.17-2.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2021-08-25T00:00:00Z"}, {"advisory": "RHSA-2021:3272", "cpe": "cpe:/a:redhat:service_mesh:2.0::el8", "package": "servicemesh-proxy-0:2.0.7-3.el8", "product_name": "OpenShift Service Mesh 2.0", "release_date": "2021-08-25T00:00:00Z"}], "bugzilla": {"description": "envoyproxy/envoy: HTTP request with a URL fragment in the URI can bypass authorization policies", "id": "1996934", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1996934"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-863", "details": ["Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy incorrectly handled a URI '#fragment' element as part of the path element. Envoy is configured with an RBAC filter for authorization or similar mechanism with an explicit case of a final \"/admin\" path element, or is using a negative assertion with final path element of \"/admin\". The client sends request to \"/app1/admin#foo\". In Envoy prior to 1.18.0, or 1.18.0+ configured with path_normalization=false. Envoy treats fragment as a suffix of the query string when present, or as a suffix of the path when query string is absent, so it evaluates the final path element as \"/admin#foo\" and mismatches with the configured \"/admin\" path element. In Envoy 1.18.0+ configured with path_normalization=true. Envoy transforms this to /app1/admin%23foo and mismatches with the configured /admin prefix. The resulting URI is sent to the next server-agent with the offending \"#foo\" fragment which violates RFC3986 or with the nonsensical \"%23foo\" text appended. A specifically constructed request with URI containing '#fragment' element delivered by an untrusted client in the presence of path based request authorization resulting in escalation of Privileges when path based request authorization extensions. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes that removes fragment from URI path in incoming requests.", "An authorization bypass vulnerability was found in envoyproxy/envoy. When a URI path-based authorization policy is specified, envoy incorrectly evaluates the HTTP request which contains a URI #fragment. This flaw allows an attacker to bypass the authorization policy and access downstream services. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."], "name": "CVE-2021-32779", "public_date": "2021-08-24T19:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-32779\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-32779\nhttps://istio.io/latest/news/security/istio-security-2021-008/"], "threat_severity": "Important", "upstream_fix": "envoyrproxy/envoy 1.16.5, envoyproxy/envoy 1.19.1, envoyproxy/envoy 1.18.4, envoyproxy/envoy 1.17.4"}