Envoy through v1.15.0 incorrectly handles multiple HTTP headers contained within a request. If Envoy validates multiple non-inline headers, only the first is validated and hence all others are assumed valid, allowing an access control bypass.
Acknowledgments: Name: the Envoy security team
External References: https://istio.io/latest/news/security/istio-security-2020-010/
upstream fix: https://github.com/envoyproxy/envoy/commit/2c60632d41555ec8b3d9ef5246242be637a2db0f
This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2020:4129 https://access.redhat.com/errata/RHSA-2020:4129
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25017