BIT-ENVOY-2021-32777 Incorrect concatenation of multiple value request headers in ext-authz extension

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HTTP spec. However,...

Design/Logic Flaw

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, escalation of privileges is possible when failuremodeallow: true is configured for extauthz filter. For affected components that are used for loggin...

Authorization Bypass

servicemesh-proxy is vulnerable to authorization bypass. It allows specifically crafted requests to bypass authorization. Attackers may be able to escalate privileges when using ext-authz extension or back end service that uses multiple value headers for authorization. A specifically constructed...

CVE-2021-32777

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HTTP spec. However,...

CVE-2021-32777

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HTTP spec. However,...

Authorization

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HTTP spec. However,...

CVE-2021-32777

CVE-2021-32777 affects Envoy’s ext-authz extension, where sending request headers to the external authorization service fails to merge multiple value headers as required by HTTP spec. This can allow specially crafted requests to bypass authorization or escalate privileges when multiple-valued hea...