Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nvd[email protected]NVD:CVE-2022-21656
HistoryFeb 22, 2022 - 11:15 p.m.

CVE-2022-21656

2022-02-2223:15:11
CWE-843
CWE-295
[email protected]
web.nvd.nist.gov
3
envoy
certificate validation
type confusion
edge proxy
service proxy
cloud-native applications
nameconstraints
openssl
boringssl
impersonation

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

35.2%

JSON

Envoy is an open source edge and service proxy, designed for cloud-native applications. The default_validator.cc implementation used to implement the default certificate validation routines has a “type confusion” bug when processing subjectAltNames. This processing allows, for example, an rfc822Name or uniformResourceIndicator to be authenticated as a domain name. This confusion allows for the bypassing of nameConstraints, as processed by the underlying OpenSSL/BoringSSL implementation, exposing the possibility of impersonation of arbitrary servers. As a result Envoy will trust upstream certificates that should not be trusted.

Affected configurations

Nvd
Node
envoyproxyenvoyRange<1.20.2
VendorProductVersionCPE
envoyproxyenvoy*cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*

Related

cnvd 1
prion 1
osv 2
cvelist 1
cve 1
redhatcve 1
cnvd
cnvd
Envoy Trust Management Issue Vulnerability (CNVD-2022-16290)
2022-02-24 00:00:00
prion
prion
Type confusion
2022-02-22 23:15:00
osv
osv
BIT-envoy-2022-21656
2024-03-06 10:56:05
CVE-2022-21656
2022-02-22 23:15:11
cvelist
cvelist
CVE-2022-21656 X.509 subjectAltName matching bypass in Envoy
2022-02-22 22:25:11
cve
cve
CVE-2022-21656
2022-02-22 23:15:11
redhatcve
redhatcve
CVE-2022-21656
2022-02-23 06:31:08

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

35.2%

JSON
Related for NVD:CVE-2022-21656
cnvd1prion1osv2cvelist1cve1redhatcve1