CVE-2021-29492

Name of the Vulnerable Software and Affected Versions: Envoy versions 1.18.2 and earlier

Description: Envoy does not decode escaped slash sequences %2F and %5C in HTTP URL paths. A remote attacker may craft a path with escaped slashes, e.g. /something%2F..%2Fadmin, to bypass access control, e.g. a block on /admin. This could allow an attacker to access beyond the scope provided for by the access control policy, potentially leading to escalation of privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret %2F and / and %5C and `` interchangeably are impacted. The attack vector involves URL paths containing escaped slash characters delivered by untrusted clients.

Recommendations: For Envoy versions 1.18.2 and earlier, update to version 1.18.3, 1.17.3, 1.16.4, or 1.15.5, which contain a new path normalization option to decode escaped slash characters. As a temporary workaround, consider reconfiguring the back end server to not treat %2F and / and %5C and `` interchangeably, if URL path based access control is configured.