Guydc

**Name of the Vulnerable Software and Affected Versions** Envoy Gateway versions prior to 1.5.7 Envoy Gateway versions prior to 1.6.2 **Description** Envoy Gateway is an open source project for managing Envoy Proxy. EnvoyExtensionPolicy Lua scripts executed by the proxy can be used to leak the proxy's credentials. These credentials can then be used to communicate with the control plane and gain access to secrets used by Envoy proxy, such as TLS private keys and credentials used for upstream and downstream communication. **Recommendations** Update Envoy Gateway to version 1.5.7 or later. Update Envoy Gateway to version 1.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** Envoy Gateway versions prior to 1.2.6 **Description** A user with access to the Kubernetes cluster can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by Envoy Gateway. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration, which may contain confidential data. The `EnvoyProxy` API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint, such as the "/stats/prometheus" endpoint. For example, the following command can be used to get the configuration dump of the proxy: `curl --path-as-is http://<Proxy-Service-ClusterIP>:19001/stats/prometheus/../../config dump`. **Recommendations** For versions prior to 1.2.6, update to version 1.2.6 to fix the issue. As a temporary workaround, consider using the `EnvoyProxy` API to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Restrict access to the `/stats/prometheus` endpoint to minimize the risk of exploitation. Apply a bootstrap config patch, such as the provided JSONPatch example, to restrict access to the prometheus stats endpoint.