CVE-2021-32777: Incorrect concatenation of multiple value request headers in ext-authz extension
First published: Tue Aug 24 2021(Updated: )
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HTTP spec. However, only the last header value is sent. This may allow specifically crafted requests to bypass authorization. Attackers may be able to escalate privileges when using ext-authz extension or back end service that uses multiple value headers for authorization. A specifically constructed request may be delivered by an untrusted downstream peer in the presence of ext-authz extension. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to the ext-authz extension to correctly merge multiple request header values, when sending request for authorization.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Envoy Proxy | >=1.16.0<1.16.5 | |
| Envoy Proxy | >=1.17.0<1.17.4 | |
| Envoy Proxy | >=1.18.0<1.18.4 | |
| Envoy Proxy | =1.19.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-32777?
CVE-2021-32777 is a vulnerability in Envoy, an open source L7 proxy and communication bus, that allows an attacker to bypass authorization checks.
How does CVE-2021-32777 work?
In affected versions of Envoy, when the ext-authz extension sends request headers to the external authorization service, it does not correctly merge multiple value headers according to the HTTP specification, allowing an attacker to bypass authorization checks.
What is the severity of CVE-2021-32777?
CVE-2021-32777 has a severity rating of 8.3 out of 10, indicating a high-risk vulnerability.
Which versions of Envoy are affected by CVE-2021-32777?
Envoy versions 1.16.0 to 1.16.5, 1.17.0 to 1.17.4, 1.18.0 to 1.18.4, and 1.19.0 are affected by CVE-2021-32777.
How can I fix CVE-2021-32777?
To fix CVE-2021-32777, upgrade to a version of Envoy that is not affected (e.g., 1.19.1 or newer) and follow the guidance provided by the Envoy project.
- agent/references
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/title
- agent/last-modified-date
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/envoyproxy
- canonical/envoy proxy
- version/envoy proxy/1.16.0
- version/envoy proxy/1.17.0
- version/envoy proxy/1.18.0
- version/envoy proxy/1.19.0