2179135 – (CVE-2023-27487) CVE-2023-27487 envoy: Client may fake the header `x-envoy-original-path`

Bug 2179135 (CVE-2023-27487) - CVE-2023-27487 envoy: Client may fake the header `x-envoy-original-path`

Summary: CVE-2023-27487 envoy: Client may fake the header `x-envoy-original-path`

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2023-27487
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2178208
TreeView+	depends on / blocked

Reported:	2023-03-16 17:26 UTC by Anten Skrabec
Modified:	2023-08-31 05:41 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in envoy. The header x-envoy-original-path should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client. The faked header could then be used for trace logs and grpc logs, used in the URL for jwt_authn checks if the jwt_authn filter is used, and any other upstream use of the x-envoy-original-path header.
Clone Of:
Environment:
Last Closed:	2023-08-11 21:10:33 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:4623	0	None	None	None	2023-08-11 16:48:13 UTC

Description Anten Skrabec 2023-03-16 17:26:27 UTC

The header x-envoy-original-path should be an internal header, but Envoy 
does not remove this header from the request at the beginning of request 
processing when it is sent from an untrusted client.

The faked header would then be used for trace logs and grpc logs, as 
well as used in the URL used for jwt_authn checks if the jwt_authn 
filter is used, and any other upstream use of the x-envoy-original-path 
header.

Comment 3 Pedro Sampaio 2023-04-04 19:14:20 UTC

Public:

https://github.com/envoyproxy/envoy/security/advisories/GHSA-5375-pq35-hf2g

Comment 5 errata-xmlrpc 2023-08-11 16:48:12 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.2 for RHEL 8

Via RHSA-2023:4623 https://access.redhat.com/errata/RHSA-2023:4623

Comment 6 Product Security DevOps Team 2023-08-11 21:10:32 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-27487

Note You need to log in before you can comment on or make changes to this bug.