Erlend Oftedal

**Name of the Vulnerable Software and Affected Versions** Envoy versions 1.9.0 and earlier **Description** The issue is related to errors in normalizing URI addresses. A remote attacker may exploit this by crafting a relative path, such as `something/../admin`, to bypass access control, for example, a block on `/admin`. This could allow an attacker to gain unauthorized access to protected data. A backend server could interpret the non-normalized path and provide an attacker access beyond the scope provided for by the access control policy. **Recommendations** For Envoy versions 1.9.0 and earlier, consider updating to a version that normalizes HTTP URL paths to prevent access control bypass. As a temporary workaround, restrict access to sensitive areas of the backend server to minimize the risk of exploitation. Avoid using relative paths in API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.