CVE-1019-18802
Brief description
A request header with trailing whitespace may cause route matchers or access controls to be bypassed, resulting in escalation of privileges or information disclosure.
CVSS
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
(CVSS score 7.5, High)
Affected version(s)
Envoy 1.12.1 and before.
Affected component(s)
HTTP/1.x codec
Attack vector(s)
An untrusted remote client may send an HTTP headers, for example a Host: header with whitespace after the header content. Envoy will treat “header-value “ as a different string from “header-value” so for example with the host header “hostname.com “ would bypass matchers for “hostname.com”.
Discover(s)/Credits
Alyssa Wilk, Google
Details
The parser in Envoy’s HTTP/1 codec incorrectly fails to trim whitespace after header values. This results in obvious security problems for multi-level deployments where an edge Envoy has matchers for “my-super-secret-content.com” to direct reply from the edge Envoy, and will fail to match “my-super-secret-content.com “ (with trailing LWS) which would be proxied to a second level proxy which (if it is properly HTTP/1.1 compliant) will strip the whitespace and leak privileged content.
Mitigations
Detection
The untrimmed hosts will be present in access logs.
References
CVE-1019-18802
Brief description
A request header with trailing whitespace may cause route matchers or access controls to be bypassed, resulting in escalation of privileges or information disclosure.
CVSS
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
(CVSS score 7.5, High)
Affected version(s)
Envoy 1.12.1 and before.
Affected component(s)
HTTP/1.x codec
Attack vector(s)
An untrusted remote client may send an HTTP headers, for example a Host: header with whitespace after the header content. Envoy will treat “header-value “ as a different string from “header-value” so for example with the host header “hostname.com “ would bypass matchers for “hostname.com”.
Discover(s)/Credits
Alyssa Wilk, Google
Details
The parser in Envoy’s HTTP/1 codec incorrectly fails to trim whitespace after header values. This results in obvious security problems for multi-level deployments where an edge Envoy has matchers for “my-super-secret-content.com” to direct reply from the edge Envoy, and will fail to match “my-super-secret-content.com “ (with trailing LWS) which would be proxied to a second level proxy which (if it is properly HTTP/1.1 compliant) will strip the whitespace and leak privileged content.
Mitigations
Detection
The untrimmed hosts will be present in access logs.
References