Ruilin Yang

Name of the Vulnerable Software and Affected Versions: Envoy versions 1.18.2 and earlier Description: Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control, e.g. a block on `/admin`. This could allow an attacker to access beyond the scope provided for by the access control policy, potentially leading to escalation of privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret `%2F` and `/` and `%5C` and `` interchangeably are impacted. The attack vector involves URL paths containing escaped slash characters delivered by untrusted clients. Recommendations: For Envoy versions 1.18.2 and earlier, update to version 1.18.3, 1.17.3, 1.16.4, or 1.15.5, which contain a new path normalization option to decode escaped slash characters. As a temporary workaround, consider reconfiguring the back end server to not treat `%2F` and `/` and `%5C` and `` interchangeably, if URL path based access control is configured.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 13.1.2 macOS Big Sur versions prior to 11.0.1 **Description** An inconsistent user interface issue was addressed with improved state management. Visiting a malicious website may lead to address bar spoofing. **Recommendations** For Safari versions prior to 13.1.2, update to Safari 13.1.2 or later to resolve the issue. For macOS Big Sur versions prior to 11.0.1, update to macOS Big Sur 11.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache Shiro versions prior to 1.5.3 **Description** A specially crafted request may cause an authentication bypass when using Apache Shiro with Spring dynamic controllers. Apache Shiro is a Java security framework that handles authentication, authorization, cryptography, and session management. **Recommendations** For versions prior to 1.5.3, update to version 1.5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to dynamic controllers to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 13.1 **Description** A logic issue was addressed with improved restrictions. A malicious iframe may use another website's download settings. **Recommendations** For versions prior to 13.1, update to Safari 13.1 to resolve the issue. As a temporary workaround, consider restricting the use of iframes from untrusted sources until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 11.1.2 **Description** An inconsistent user interface issue was addressed with improved state management. **Recommendations** For versions prior to 11.1.2, update to version 11.1.2 or later to resolve the issue.