Incorrect configuration handling allows mTLS session re-use without re-validation after validation settings have changed

High

mattklein123 published GHSA-5j4x-g36v-m283

Feb 22, 2022

Package

No package listed

Affected versions

1.7.0 and later

Patched versions

1.18.6, 1.19.3, 1.20.2, 1.21.1

Description

CVSSS Score 7.3 AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

tls allows re-use when some cert validation settings have changed

Impact

Resources available to unauthorized users

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

Do not modify TLS settings.

References

https://blog.envoyproxy.io
https://github.com/envoyproxy/envoy/releases

For more information

Open an issue in Envoy repo
Email us at envoy-security

Severity

High

7.3

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N