CVE-2021-29492
- Source
- https://cve.org/CVERecord?id=CVE-2021-29492
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-29492.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-29492
- Aliases
- Downstream
- Related
- Published
- 2021-05-28T21:15:08.670Z
- Modified
- 2026-02-04T21:35:03.474316Z
- Severity
-
- 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
- Summary
- [none]
- Details
-
Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences
%2Fand%5Cin HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g./something%2F..%2Fadmin, to bypass access control, e.g. a block on/admin. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy. ### Impact Escalation of Privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret%2Fand/and%5Cand\interchangeably are impacted. ### Attack Vector URL paths containing escaped slash characters delivered by untrusted client. Patches in versions 1.18.3, 1.17.3, 1.16.4, 1.15.5 contain new path normalization option to decode escaped slash characters. As a workaround, if back end servers treat%2Fand/and%5Cand\interchangeably and a URL path based access control is configured, one may reconfigure the back end server to not treat%2Fand/and%5Cand\interchangeably. - References