Description

Envoy does not decode escaped slash sequences %2F and %5C in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. /something%2F..%2Fadmin, to bypass access control, e.g. a block on /admin. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy.

Impact

Escalation of Privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret %2F and / and %5C and \ interchangeably are impacted.

Attack Vector

URL paths containing escaped slash characters delivered by untrusted client.

Patches

Envoy versions 1.18.3, 1.17.3, 1.16.4, 1.15.5 contain new path normalization option to decode escaped slash characters.

Workarounds

If back end servers treat %2F and / and %5C and \ interchangeably and a URL path based access control is configured, we recommend reconfiguring back end server to not treat %2F and / and %5C and \ interchangeably if feasible.

Credit

Ruilin Yang (ruilin.yrl@gmail.com)

References

https://blog.envoyproxy.io
https://github.com/envoyproxy/envoy/releases

For more information

If you have any questions or comments about this advisory:

• Open an issue in Envoy repo
• Email us at envoy-security