CVE-2021-36371 - OpenCVE

Emissary-Ingress (formerly Ambassador API Gateway) through 1.13.9 allows attackers to bypass client certificate requirements (i.e., mTLS cert_required) on backend upstreams when more than one TLSContext is defined and at least one configuration exists that does not require client certificate authentication. The attacker must send an SNI specifying an unprotected backend and an HTTP Host header specifying a protected backend. (2.x versions are unaffected. 1.x versions are unaffected with certain configuration settings involving prune_unreachable_routes and a wildcard Host resource.)

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Getambassador	Emissary-ingress

Configuration 1 [-]

cpe:2.3:a:getambassador:emissary-ingress:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/emissary-ingress/emissary/issues/3340
https://github.com/emissary-ingress/emissary/releases/tag/v2.0.0-ea

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-07-09T20:19:45

Updated: 2024-08-04T00:54:51.414Z

Reserved: 2021-07-09T00:00:00

Link: CVE-2021-36371

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-07-09T21:15:08.583

Modified: 2021-07-14T14:57:33.607

Link: CVE-2021-36371

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Emissary-Ingress (formerly Ambassador API Gateway) through 1.13.9 allows attackers to bypass client certificate requirements (i.e., mTLS cert_required) on backend upstreams when more than one TLSContext is defined and at least one configuration exists that does not require client certificate authentication. The attacker must send an SNI specifying an unprotected backend and an HTTP Host header specifying a protected backend. (2.x versions are unaffected. 1.x versions are unaffected with certain configuration settings involving prune_unreachable_routes and a wildcard Host resource.)"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-07-12T19:21:53", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/emissary-ingress/emissary/issues/3340"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/emissary-ingress/emissary/releases/tag/v2.0.0-ea"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-36371", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Emissary-Ingress (formerly Ambassador API Gateway) through 1.13.9 allows attackers to bypass client certificate requirements (i.e., mTLS cert_required) on backend upstreams when more than one TLSContext is defined and at least one configuration exists that does not require client certificate authentication. The attacker must send an SNI specifying an unprotected backend and an HTTP Host header specifying a protected backend. (2.x versions are unaffected. 1.x versions are unaffected with certain configuration settings involving prune_unreachable_routes and a wildcard Host resource.)"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/emissary-ingress/emissary/issues/3340", "refsource": "MISC", "url": "https://github.com/emissary-ingress/emissary/issues/3340"}, {"name": "https://github.com/emissary-ingress/emissary/releases/tag/v2.0.0-ea", "refsource": "MISC", "url": "https://github.com/emissary-ingress/emissary/releases/tag/v2.0.0-ea"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T00:54:51.414Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/emissary-ingress/emissary/issues/3340"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/emissary-ingress/emissary/releases/tag/v2.0.0-ea"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-36371", "datePublished": "2021-07-09T20:19:45", "dateReserved": "2021-07-09T00:00:00", "dateUpdated": "2024-08-04T00:54:51.414Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getambassador:emissary-ingress:*:*:*:*:*:*:*:*", "matchCriteriaId": "4B2281C9-BA17-4B88-A762-3CA71940E3A5", "versionEndIncluding": "1.13.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Emissary-Ingress (formerly Ambassador API Gateway) through 1.13.9 allows attackers to bypass client certificate requirements (i.e., mTLS cert_required) on backend upstreams when more than one TLSContext is defined and at least one configuration exists that does not require client certificate authentication. The attacker must send an SNI specifying an unprotected backend and an HTTP Host header specifying a protected backend. (2.x versions are unaffected. 1.x versions are unaffected with certain configuration settings involving prune_unreachable_routes and a wildcard Host resource.)"}, {"lang": "es", "value": "Emissary-Ingress (antes Ambassador API Gateway) hasta la versi\u00f3n 1.13.9 permite a los atacantes eludir los requisitos de certificado del cliente (es decir, mTLS cert_required) en los flujos ascendentes del backend cuando se define m\u00e1s de un TLSContext y existe al menos una configuraci\u00f3n que no requiere autenticaci\u00f3n de certificado del cliente. El atacante debe enviar un SNI especificando un backend no protegido y una cabecera HTTP Host especificando un backend protegido. (Las versiones 2.x no se ven afectadas. Las versiones 1.x no se ven afectadas con ciertos ajustes de configuraci\u00f3n que implican prune_unreachable_routes y un recurso Host comod\u00edn)"}], "id": "CVE-2021-36371", "lastModified": "2021-07-14T14:57:33.607", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-07-09T21:15:08.583", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/emissary-ingress/emissary/issues/3340"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/emissary-ingress/emissary/releases/tag/v2.0.0-ea"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}