Vulnerability from bitnami_vulndb
Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences %2F and %5C in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. /something%2F..%2Fadmin, to bypass access control, e.g. a block on /admin. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy. ### Impact Escalation of Privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret %2F and / and %5C and \ interchangeably are impacted. ### Attack Vector URL paths containing escaped slash characters delivered by untrusted client. Patches in versions 1.18.3, 1.17.3, 1.16.4, 1.15.5 contain new path normalization option to decode escaped slash characters. As a workaround, if back end servers treat %2F and / and %5C and \ interchangeably and a URL path based access control is configured, one may reconfigure the back end server to not treat %2F and / and %5C and \ interchangeably.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "envoy",
"purl": "pkg:bitnami/envoy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.15.5"
},
{
"introduced": "1.16.0"
},
{
"fixed": "1.16.4"
},
{
"introduced": "1.17.0"
},
{
"fixed": "1.17.3"
},
{
"introduced": "1.18.0"
},
{
"fixed": "1.18.3"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2021-29492"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*"
],
"severity": "High"
},
"details": "Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control, e.g. a block on `/admin`. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy. ### Impact Escalation of Privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret `%2F` and `/` and `%5C` and `\\` interchangeably are impacted. ### Attack Vector URL paths containing escaped slash characters delivered by untrusted client. Patches in versions 1.18.3, 1.17.3, 1.16.4, 1.15.5 contain new path normalization option to decode escaped slash characters. As a workaround, if back end servers treat `%2F` and `/` and `%5C` and `\\` interchangeably and a URL path based access control is configured, one may reconfigure the back end server to not treat `%2F` and `/` and `%5C` and `\\` interchangeably.",
"id": "BIT-envoy-2021-29492",
"modified": "2025-05-20T10:02:07.006Z",
"published": "2024-03-06T10:58:39.469Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-4987-27fx-x6cf"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29492"
}
],
"schema_version": "1.5.0",
"summary": "Bypass of path matching rules using escaped slash characters"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.