CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
A flaw was found in Envoy. JWT filter will lead to a crash in Envoy when clearing the route cache with remote JWKs in the following cases: 1. Remote JWKs are used, which requires async header processing 2. clear_route_cache is enabled on the provider 3. Header operations are enabled in JWT filter, for example, header to claims feature 4. The routing table is configured in a way that the JWT header operations modify requests to not match any route When these conditions are met, a crash is triggered in the upstream code due to nullptr reference conversion from route(). The root cause is the ordering of continueDecoding and clearRouteCache.
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.