wadeling / envoy Goto Github PK

Vulnerable Library - envoy-wasmae02dc6bdd5c5ea61c3869395d81689e34988156

*ATTENTION!: The content of this repo is merged into https://github.com/envoyproxy/envoy and future development is happening there.

Library home page: https://github.com/envoyproxy/envoy-wasm.git

Found in HEAD commit: 320650059a0b0796f39380aaca16815f2f8a4625

Found in base branch: master

Vulnerable Source Files (1)

envoy/source/common/runtime/runtime_features.cc

Vulnerability Details

An issue was discovered in Envoy 1.12.0. An untrusted remote client may send an HTTP header (such as Host) with whitespace after the header content. Envoy will treat "header-value " as a different string from "header-value" so for example with the Host header "example.com " one could bypass "example.com" matchers.

Publish Date: 2019-12-13

URL: CVE-2019-18802

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18802

Release Date: 2019-12-13

Fix Resolution: 1.12.2

Vulnerable Library - envoy-wasmae02dc6bdd5c5ea61c3869395d81689e34988156

*ATTENTION!: The content of this repo is merged into https://github.com/envoyproxy/envoy and future development is happening there.

Library home page: https://github.com/envoyproxy/envoy-wasm.git

Found in HEAD commit: 320650059a0b0796f39380aaca16815f2f8a4625

Found in base branch: master

Vulnerable Source Files (1)

envoy/source/extensions/transport_sockets/tls/ssl_socket.cc

Vulnerability Details

An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable NULL pointer dereference and crash in TLS when an unknown TLS alert code is received.

Publish Date: 2021-05-20

URL: CVE-2021-28683

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1942263

Release Date: 2021-03-18

Fix Resolution: v1.17.2

Vulnerable Library - Pygments-2.2.0-py2.py3-none-any.whl

Pygments is a syntax highlighting package written in Python.

Library home page: https://files.pythonhosted.org/packages/02/ee/b6e02dc6529e82b75bb06823ff7d005b141037cb1416b10c6f00fc419dca/Pygments-2.2.0-py2.py3-none-any.whl

Path to dependency file: envoy/docs/requirements.txt

Path to vulnerable library: envoy/docs/requirements.txt,envoy/docs/requirements.txt

Dependency Hierarchy:

• ❌ Pygments-2.2.0-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 320650059a0b0796f39380aaca16815f2f8a4625

Found in base branch: master

Vulnerability Details

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

Publish Date: 2021-03-23

URL: CVE-2021-20270

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w8r-397f-prfh

Release Date: 2021-03-23

Fix Resolution: Pygments - 20.12.3

Vulnerability Details

Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may exhaust file descriptors and/or memory when accepting too many connections.

Publish Date: 2020-07-01

URL: CVE-2020-8663

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-v8q7-fq78-4997

Release Date: 2020-07-01

Fix Resolution: 1.14.3, 1.13.3, 1.12.5

Vulnerability Details

In Envoy through 1.11.1, users may configure a route to match incoming path headers via the libstdc++ regular expression implementation. A remote attacker may send a request with a very long URI to result in a denial of service (memory consumption). This is a related issue to CVE-2019-14993.

Publish Date: 2019-08-19

URL: CVE-2019-15225

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15225

Release Date: 2019-08-19

Fix Resolution: v1.11.2

Vulnerable Library - Pygments-2.2.0-py2.py3-none-any.whl

Pygments is a syntax highlighting package written in Python.

Library home page: https://files.pythonhosted.org/packages/02/ee/b6e02dc6529e82b75bb06823ff7d005b141037cb1416b10c6f00fc419dca/Pygments-2.2.0-py2.py3-none-any.whl

Path to dependency file: envoy/docs/requirements.txt

Path to vulnerable library: envoy/docs/requirements.txt,envoy/docs/requirements.txt

Dependency Hierarchy:

• ❌ Pygments-2.2.0-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 320650059a0b0796f39380aaca16815f2f8a4625

Found in base branch: master

Vulnerability Details

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

Publish Date: 2021-03-17

URL: CVE-2021-27291

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/pygments/pygments/releases/tag/2.7.4

Release Date: 2021-03-17

Fix Resolution: Pygments - 2.7.4

Vulnerability Details

Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences %2F and %5C in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. /something%2F..%2Fadmin, to bypass access control, e.g. a block on /admin. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy. ### Impact Escalation of Privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret %2F and / and %5C and \ interchangeably are impacted. ### Attack Vector URL paths containing escaped slash characters delivered by untrusted client. Patches in versions 1.18.3, 1.17.3, 1.16.4, 1.15.5 contain new path normalization option to decode escaped slash characters. As a workaround, if back end servers treat %2F and / and %5C and \ interchangeably and a URL path based access control is configured, one may reconfigure the back end server to not treat %2F and / and %5C and \ interchangeably.

Publish Date: 2021-05-28

URL: CVE-2021-29492

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1951188

Release Date: 2021-03-31

Fix Resolution: v1.15.5, v1.16.4, v1.17.3, v1.18.3

Vulnerability Details

Envoy master between 2d69e30 and 3b5acb2 may fail to parse request URL that requires host canonicalization.

Publish Date: 2020-10-01

URL: CVE-2020-25018

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - envoy-wasmae02dc6bdd5c5ea61c3869395d81689e34988156

*ATTENTION!: The content of this repo is merged into https://github.com/envoyproxy/envoy and future development is happening there.

Library home page: https://github.com/envoyproxy/envoy-wasm.git

Found in HEAD commit: 320650059a0b0796f39380aaca16815f2f8a4625

Found in base branch: master

Vulnerable Source Files (1)

envoy/source/common/runtime/runtime_features.cc

Vulnerability Details

In Envoy before versions 1.12.6, 1.13.4, 1.14.4, and 1.15.0 when validating TLS certificates, Envoy would incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of *.example.com, Envoy would incorrectly allow nested.subdomain.example.com, when it should only allow subdomain.example.com. This defect applies to both validating a client TLS certificate in mTLS, and validating a server TLS certificate for upstream connections. This vulnerability is only applicable to situations where an untrusted entity can obtain a signed wildcard TLS certificate for a domain of which you only intend to trust a subdomain of. For example, if you intend to trust api.mysubdomain.example.com, and an untrusted actor can obtain a signed TLS certificate for *.example.com or *.com. Configurations are vulnerable if they use verify_subject_alt_name in any Envoy version, or if they use match_subject_alt_names in version 1.14 or later. This issue has been fixed in Envoy versions 1.12.6, 1.13.4, 1.14.4, 1.15.0.

Publish Date: 2020-07-14

URL: CVE-2020-15104

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-w5f5-6qhq-hhrg

Release Date: 2020-07-14

Fix Resolution: 1.12.6,1.13.4,1.14.4,1.15.0

Vulnerability Details

Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header.

Publish Date: 2020-10-01

URL: CVE-2020-25017

CVSS 3 Score Details (8.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-2v25-cjjq-5f4w

Release Date: 2020-08-30

Fix Resolution: 1.12.7, 1.13.5, 1.14.5, 1.15.1

Vulnerable Library - envoy-wasmae02dc6bdd5c5ea61c3869395d81689e34988156

*ATTENTION!: The content of this repo is merged into https://github.com/envoyproxy/envoy and future development is happening there.

Library home page: https://github.com/envoyproxy/envoy-wasm.git

Found in HEAD commit: 320650059a0b0796f39380aaca16815f2f8a4625

Found in base branch: master

Vulnerable Source Files (1)

envoy/source/extensions/filters/http/jwt_authn/verifier.cc

Vulnerability Details

Envoy is a cloud-native high-performance edge/middle/service proxy. In Envoy version 1.17.0 an attacker can bypass authentication by presenting a JWT token with an issuer that is not in the provider list when Envoy's JWT Authentication filter is configured with the allow_missing requirement under requires_any due to a mistake in implementation. Envoy's JWT Authentication filter can be configured with the allow_missing requirement that will be satisfied if JWT is missing (JwtMissed error) and fail if JWT is presented or invalid. Due to a mistake in implementation, a JwtUnknownIssuer error was mistakenly converted to JwtMissed when requires_any was configured. So if allow_missing was configured under requires_any, an attacker can bypass authentication by presenting a JWT token with an issuer that is not in the provider list. Integrity may be impacted depending on configuration if the JWT token is used to protect against writes or modifications. This regression was introduced on 2020/11/12 in PR 13839 which fixed handling allow_missing under RequiresAny in a JwtRequirement (see issue 13458). The AnyVerifier aggregates the children verifiers' results into a final status where JwtMissing is the default error. However, a JwtUnknownIssuer was mistakenly treated the same as a JwtMissing error and the resulting final aggregation was the default JwtMissing. As a result, allow_missing would allow a JWT token with an unknown issuer status. This is fixed in version 1.17.1 by PR 15194. The fix works by preferring JwtUnknownIssuer over a JwtMissing error, fixing the accidental conversion and bypass with allow_missing. A user could detect whether a bypass occurred if they have Envoy logs enabled with debug verbosity. Users can enable component level debug logs for JWT. The JWT filter logs will indicate that there is a request with a JWT token and a failure that the JWT token is missing.

Publish Date: 2021-03-11

URL: CVE-2021-21378

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-4996-m8hf-hj27

Release Date: 2021-03-11

Fix Resolution: v1.17.1

Vulnerable Library - Jinja2-2.10.1-py2.py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/1d/e7/fd8b501e7a6dfe492a433deb7b9d833d39ca74916fa8bc63dd1a4947a671/Jinja2-2.10.1-py2.py3-none-any.whl

Path to dependency file: envoy/docs/requirements.txt

Path to vulnerable library: envoy/docs/requirements.txt,envoy/docs/requirements.txt,envoy/configs/requirements.txt

Dependency Hierarchy:

• Sphinx-1.8.1-py2.py3-none-any.whl (Root Library)
  • ❌ Jinja2-2.10.1-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 320650059a0b0796f39380aaca16815f2f8a4625

Found in base branch: master

Vulnerability Details

This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the _punctuation_re regex operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.

Publish Date: 2021-02-01

URL: CVE-2020-28493

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28493

Release Date: 2021-02-01

Fix Resolution: Jinja2 - 2.11.3