CVE-2019-9900

Name of the Vulnerable Software and Affected Versions Envoy versions 1.9.0 and earlier

Description The issue is related to errors in parsing HTTP headers and URL paths. This can allow a remote attacker to bypass header matching rules and access control, potentially gaining access to unauthorized resources. The vulnerability can be exploited by crafting header values containing embedded NUL characters or by using relative paths to bypass access control.

Recommendations For Envoy versions 1.9.0 and earlier, consider disabling the HTTP/1.x parsing functionality until a patch is available. Restrict access to sensitive resources by implementing additional access control mechanisms. Avoid using relative paths in HTTP URL requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.