2088742 – envoy: Test only method Envoy::Http::validHeaderString used in production in vendor specific HTTP filters

Bug 2088742 - envoy: Test only method Envoy::Http::validHeaderString used in production in vendor specific HTTP filters

Summary: envoy: Test only method Envoy::Http::validHeaderString used in production in ...

Keywords:
Status:	NEW
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2088743
TreeView+	depends on / blocked

Reported:	2022-05-20 11:39 UTC by Avinash Hanwate
Modified:	2023-07-07 08:27 UTC (History)
CC List:	2 users (show)
Fixed In Version:	Envoy 1.22.1, Envoy 1.21.3, Envoy 1.20.4, Envoy 1.19.5
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2022-05-20 11:39:57 UTC

A method designed for sanity checking of HTTP header values during tests Envoy::Http::validHeaderString was determined to be used in production in vendor-specific HTTP extensions, including open-source extensions, for validating RFC compliance of header values. However, the method is not performing strict RFC compliance checks and allows characters prohibited by the standard. This may cause affected extensions to produce malformed upstream requests that may fail to be processed correctly by subsequent HTTP filters or fail to be logged by access loggers.

This problem does not affect any extensions in Envoy’s repository and as such, no CVE number will be assigned. The fix is provided under embargo to avoid 0-day exploits for affected HTTP filters outside of Envoy
repository.

Note You need to log in before you can comment on or make changes to this bug.