Vulnerability Details CVE-2019-9901
Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., something/../admin, to bypass access control, e.g., a block on /admin. A backend server could then interpret the non-normalized path and provide an attacker access beyond the scope provided for by the access control policy.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 26.9%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 7.5
References
- https://github.com/envoyproxy/envoy/issues/6435
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-xcx5-93pw-jw2w
- https://groups.google.com/forum/#%21topic/envoy-announce/VoHfnDqZiAM
- https://www.envoyproxy.io/docs/envoy/v1.9.1/intro/version_history
- https://github.com/envoyproxy/envoy/issues/6435
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-xcx5-93pw-jw2w
- https://groups.google.com/forum/#%21topic/envoy-announce/VoHfnDqZiAM
- https://www.envoyproxy.io/docs/envoy/v1.9.1/intro/version_history
Products affected by CVE-2019-9901
-
cpe:2.3:a:envoyproxy:envoy:-
-
cpe:2.3:a:envoyproxy:envoy:1.0.0
-
cpe:2.3:a:envoyproxy:envoy:1.1.0
-
cpe:2.3:a:envoyproxy:envoy:1.2.0
-
cpe:2.3:a:envoyproxy:envoy:1.3.0
-
cpe:2.3:a:envoyproxy:envoy:1.4.0
-
cpe:2.3:a:envoyproxy:envoy:1.5.0
-
cpe:2.3:a:envoyproxy:envoy:1.6.0
-
cpe:2.3:a:envoyproxy:envoy:1.7.0
-
cpe:2.3:a:envoyproxy:envoy:1.7.1
-
cpe:2.3:a:envoyproxy:envoy:1.8.0
-
cpe:2.3:a:envoyproxy:envoy:1.9.0