A flaw was found in Envoy 1.9.0 and older. Envoy does not normalize HTTP URL paths. A remote attacker may craft a path with a relative path, e.g. something/../admin, to bypass access control, e.g. a block on /admin. A backend server could then interpret the unnormalized path and provide an attacker access beyond the scope provided for by the access control policy. Upstream issue: https://github.com/envoyproxy/envoy/issues/6435 References: https://istio.io/blog/2019/announcing-1.1.2/
Acknowledgments: Name: the Envoy security team
This issue has been addressed in the following products: OpenShift Service Mesh Tech Preview Via RHSA-2019:0741 https://access.redhat.com/errata/RHSA-2019:0741
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-9901