CVSS score 8.6 (High), Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Envoy incorrectly handled a URI '#fragment' element as part of the path element.
Envoy is configured with an RBAC filter for authorization or similar mechanism with an
explicit case of a final "/admin" path element, or is using a negative assertion with
final path element of "/admin". The client sends request to "/app1/admin#foo"
In Envoy prior to 1.18.0, or 1.18.0+ configured with path_normalization=false
Envoy treats fragment as a suffix of the query string when present, or as a suffix
of the path when query string is absent, so it evaluates the final path element
as "/admin#foo" and mismatches with the configured "/admin" path element
In Envoy 1.18.0+ configured with path_normalization=true
Envoy transforms this to /app1/admin%23foo and mismatches with the configured /admin prefix
The resulting URI is sent to the next server-agent with the offending "#foo" fragment which
violates RFC3986 or with the nonsensical "%23foo" text appended.
Impact
Escalation of Privileges when path based request authorization extensions.
Attack vector
A specifically constructed request with URI containing '#fragment' element delivered by an untrusted client in the presence of path based request authorization.
Patches
Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes that removes fragment from URI path in incoming requests.
Workarounds
None
Credits
Yangmin Zhu ymzhu@google.com
References
https://blog.envoyproxy.io
https://github.com/envoyproxy/envoy/releases
For more information
If you have any questions or comments about this advisory:
Open an issue in Envoy repo
Email us at envoy-security
yangminzhu Analyst
CVSS score 8.6 (High), Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Envoy incorrectly handled a URI '#fragment' element as part of the path element.
Envoy is configured with an RBAC filter for authorization or similar mechanism with an
explicit case of a final "/admin" path element, or is using a negative assertion with
final path element of "/admin". The client sends request to "/app1/admin#foo"
In Envoy prior to 1.18.0, or 1.18.0+ configured with path_normalization=false
Envoy treats fragment as a suffix of the query string when present, or as a suffix
of the path when query string is absent, so it evaluates the final path element
as "/admin#foo" and mismatches with the configured "/admin" path element
In Envoy 1.18.0+ configured with path_normalization=true
Envoy transforms this to /app1/admin%23foo and mismatches with the configured /admin prefix
The resulting URI is sent to the next server-agent with the offending "#foo" fragment which
violates RFC3986 or with the nonsensical "%23foo" text appended.
Impact
Escalation of Privileges when path based request authorization extensions.
Attack vector
A specifically constructed request with URI containing '#fragment' element delivered by an untrusted client in the presence of path based request authorization.
Patches
Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes that removes fragment from URI path in incoming requests.
Workarounds
None
Credits
Yangmin Zhu ymzhu@google.com
References
https://blog.envoyproxy.io
https://github.com/envoyproxy/envoy/releases
For more information
If you have any questions or comments about this advisory:
Open an issue in Envoy repo
Email us at envoy-security