Yangmin Zhu

**Name of the Vulnerable Software and Affected Versions** Envoy versions 1.16.5 through 1.19.0 **Description** The issue affects Envoy, an open source L7 proxy and communication bus. In the affected versions, when the ext-authz extension sends request headers to the external authorization service, it fails to merge multiple value headers according to the HTTP specifications, sending only the last header value. This can allow specifically crafted requests to bypass authorization, potentially enabling attackers to escalate privileges when using the ext-authz extension or a back-end service that relies on multiple value headers for authorization. A specifically constructed request may be delivered by an untrusted downstream peer in the presence of the ext-authz extension. **Recommendations** For Envoy versions prior to 1.16.5, update to version 1.16.5 or later. For Envoy versions prior to 1.17.4, update to version 1.17.4 or later. For Envoy versions prior to 1.18.4, update to version 1.18.4 or later. For Envoy versions prior to 1.19.1, update to version 1.19.1 or later. As a temporary workaround, consider restricting access to the ext-authz extension until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Envoy versions prior to 1.16.5 Envoy versions 1.16.5 through 1.19.0 Envoy version 1.18.0 with path normalization=false **Description** The issue arises from Envoy's incorrect handling of a URI '#fragment' element as part of the path element. This occurs when Envoy is configured with an RBAC filter for authorization or a similar mechanism with an explicit case of a final "/admin" path element, or when using a negative assertion with a final path element of "/admin". If a client sends a request to "/app1/admin#foo", Envoy may treat the fragment as a suffix of the query string or the path, leading to a mismatch with the configured "/admin" path element. This can result in the escalation of privileges when path-based request authorization extensions are used. The resulting URI may be sent to the next server-agent with the offending "#foo" fragment, violating RFC3986, or with the nonsensical "%23foo" text appended. **Recommendations** For Envoy versions prior to 1.16.5, update to version 1.16.5 or later. For Envoy versions 1.16.5 through 1.19.0, update to version 1.19.1 or later. For Envoy version 1.18.0 with path normalization=false, update to version 1.18.4 or later, or set path normalization=true. As a temporary workaround, consider disabling the RBAC filter or similar authorization mechanisms until a patch is available. Restrict access to the `/admin` path element to minimize the risk of exploitation. Avoid using the `#fragment` element in URI requests to affected Envoy versions until the issue is resolved.