What is CVE-2021-32783?

CVE-2021-32783 is a vulnerability in Contour, a Kubernetes ingress controller, that allows unauthorized access to Envoy's admin interface.

How does CVE-2021-32783 affect Contour?

CVE-2021-32783 affects Contour version 1.17.1 and earlier, allowing a specially crafted ExternalName type Service to access Envoy's admin interface.

What is the severity of CVE-2021-32783?

The severity of CVE-2021-32783 is rated as high with a CVSS score of 8.5.

How can I fix CVE-2021-32783 in Contour?

To fix CVE-2021-32783, update Contour to version 1.17.1 or later.

Where can I find more information about CVE-2021-32783?

You can find more information about CVE-2021-32783 in the references provided: [GitHub Commit](https://github.com/projectcontour/contour/commit/b53a5c4fd927f4ea2c6cf02f1359d8e28bef852e), [GitHub Release](https://github.com/projectcontour/contour/releases/tag/v1.17.1), [GitHub Security Advisory](https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc).

Vulnerability/
CVE-2021-32783

high

8.5

CWE

610 441

23/7/2021

5/8/2021

CVE-2021-32783

First published: Fri Jul 23 2021(Updated: )

Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy remotely (a denial of service), or to expose the existence of any Secret that Envoy is using for its configuration, including most notably TLS Keypairs. However, it *cannot* be used to get the *content* of those secrets. Since this attack allows access to the administration interface, a variety of administration options are available, such as shutting down the Envoy or draining traffic. In general, the Envoy admin interface cannot easily be used for making changes to the cluster, in-flight requests, or backend services, but it could be used to shut down or drain Envoy, change traffic routing, or to retrieve secret metadata, as mentioned above. The issue will be addressed in Contour v1.18.0 and a cherry-picked patch release, v1.17.1, has been released to cover users who cannot upgrade at this time. For more details refer to the linked GitHub Security Advisory.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Projectcontour Contour Kubernetes	<1.17.1

Remedy

https://github.com/projectcontour/contour/commit/b53a5c4fd927f4ea2c6cf02f1359d8e28bef852e

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-32783?
CVE-2021-32783 is a vulnerability in Contour, a Kubernetes ingress controller, that allows unauthorized access to Envoy's admin interface.
How does CVE-2021-32783 affect Contour?
CVE-2021-32783 affects Contour version 1.17.1 and earlier, allowing a specially crafted ExternalName type Service to access Envoy's admin interface.
What is the severity of CVE-2021-32783?
The severity of CVE-2021-32783 is rated as high with a CVSS score of 8.5.
How can I fix CVE-2021-32783 in Contour?
To fix CVE-2021-32783, update Contour to version 1.17.1 or later.
Where can I find more information about CVE-2021-32783?
You can find more information about CVE-2021-32783 in the references provided: [GitHub Commit](https://github.com/projectcontour/contour/commit/b53a5c4fd927f4ea2c6cf02f1359d8e28bef852e), [GitHub Release](https://github.com/projectcontour/contour/releases/tag/v1.17.1), [GitHub Security Advisory](https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc).

agent/author
agent/references
agent/severity
agent/weakness
agent/description
agent/type
agent/event
agent/first-publish-date
agent/softwarecombine
agent/last-modified-date
agent/remedy
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/projectcontour
canonical/projectcontour contour kubernetes