CVE-2021-21378

Name of the Vulnerable Software and Affected Versions Envoy version 1.17.0

Description The issue allows an attacker to bypass authentication by presenting a JWT token with an issuer that is not in the provider list when Envoy's JWT Authentication filter is configured with the allow missing requirement under requires any. This is due to a mistake in implementation where a JwtUnknownIssuer error was mistakenly converted to JwtMissed when requires any was configured. As a result, allow missing would allow a JWT token with an unknown issuer status, potentially impacting integrity depending on configuration if the JWT token is used to protect against writes or modifications.

Recommendations For Envoy version 1.17.0, update to version 1.17.1 to fix the issue. As a temporary workaround, consider disabling the allow missing requirement under requires any in the JWT Authentication filter configuration until the update is applied. Additionally, users can enable component-level debug logs for JWT to detect potential bypass attempts, which will indicate a request with a JWT token and a failure that the JWT token is missing.