Vulnerability type
Incorrect Access Control
Attack type
Impersonation
Impact
Escalation of Privileges
Unauthorized access to service, service spoofing
Discoverer(s)/Credits
Andon Andonov (Microsoft)
Ryan Michela (Salesforce)
Scott Beardsley (Pinterest)
Jasper Misset (Visma Connect)
Description (full; not included in CVE but will be published on GitHub later and linked)
For the SDS TLS validation context in Envoy version 1.13.0 and earlier, the update callback was called only when the secret was received for the first time or when its value changed. This meant that if the same secret (e.g. trusted CA) was used in multiple resources, then resources using it but configured after the secret was already received, remained unconfigured until the secret's value changed. The missing callback should have resulted in transport factories stuck in the "not ready" state, however, because of an incorrect code, the available secret was processed like inlined validation context, and only rules from the dynamic ("secret") part of the validation context were applied, leading to a complete bypass of rules from the static ("default") part.
Vulnerability type
Incorrect Access Control
Attack type
Impersonation
Impact
Escalation of Privileges
Unauthorized access to service, service spoofing
Discoverer(s)/Credits
Andon Andonov (Microsoft)
Ryan Michela (Salesforce)
Scott Beardsley (Pinterest)
Jasper Misset (Visma Connect)
Description (full; not included in CVE but will be published on GitHub later and linked)
For the SDS TLS validation context in Envoy version 1.13.0 and earlier, the update callback was called only when the secret was received for the first time or when its value changed. This meant that if the same secret (e.g. trusted CA) was used in multiple resources, then resources using it but configured after the secret was already received, remained unconfigured until the secret's value changed. The missing callback should have resulted in transport factories stuck in the "not ready" state, however, because of an incorrect code, the available secret was processed like inlined validation context, and only rules from the dynamic ("secret") part of the validation context were applied, leading to a complete bypass of rules from the static ("default") part.