CVE-2023-30845

Name of the Vulnerable Software and Affected Versions ESPv2 versions 2.20.0 through 2.42.0

Description The issue allows API clients to bypass JWT authentication by crafting a malicious X-HTTP-Method-Override header value under specific conditions. This occurs when the requested HTTP method is not in the API service definition, and the specified X-HTTP-Method-Override is a valid HTTP method in the API service definition. As a result, ESPv2 will forward the request to the backend without checking the JWT, enabling attackers to bypass authentication. Restricting API access with API keys is not affected by this issue.

Recommendations Upgrade deployments to release v2.43.0 or higher to receive a patch, ensuring JWT authentication occurs even when the caller specifies x-http-method-override. As a temporary workaround, consider restricting the use of the X-HTTP-Method-Override header until the patch is applied.