First published: Tue Apr 09 2019(Updated: )
A flaw was found in Envoy 1.9.0 and older. Envoy does not normalize HTTP URL paths. A remote attacker may craft a path with a relative path, e.g. something/../admin, to bypass access control, e.g. a block on /admin. A backend server could then interpret the unnormalized path and provide an attacker access beyond the scope provided for by the access control policy. Upstream issue: <a href="https://github.com/envoyproxy/envoy/issues/6435">https://github.com/envoyproxy/envoy/issues/6435</a> References: <a href="https://istio.io/blog/2019/announcing-1.1.2/">https://istio.io/blog/2019/announcing-1.1.2/</a>
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
go/github.com/envoyproxy/envoy | <=1.9.0 | 1.9.1 |
Envoyproxy Envoy | <=1.9.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this vulnerability is CVE-2019-9901.
CVE-2019-9901 has a severity level of critical.
Envoy 1.9.0 and versions before 1.9.0 are affected by CVE-2019-9901.
An attacker can exploit CVE-2019-9901 by crafting a relative path to bypass access control.
You can find more information about CVE-2019-9901 at the following references: [github.com/envoyproxy/envoy/security/advisories/GHSA-xcx5-93pw-jw2w](https://github.com/envoyproxy/envoy/security/advisories/GHSA-xcx5-93pw-jw2w) and [nvd.nist.gov/vuln/detail/CVE-2019-9901](https://nvd.nist.gov/vuln/detail/CVE-2019-9901).