CVE-2021-32777

Name of the Vulnerable Software and Affected Versions Envoy versions 1.16.5 through 1.19.0

Description The issue affects Envoy, an open source L7 proxy and communication bus. In the affected versions, when the ext-authz extension sends request headers to the external authorization service, it fails to merge multiple value headers according to the HTTP specifications, sending only the last header value. This can allow specifically crafted requests to bypass authorization, potentially enabling attackers to escalate privileges when using the ext-authz extension or a back-end service that relies on multiple value headers for authorization. A specifically constructed request may be delivered by an untrusted downstream peer in the presence of the ext-authz extension.

Recommendations For Envoy versions prior to 1.16.5, update to version 1.16.5 or later. For Envoy versions prior to 1.17.4, update to version 1.17.4 or later. For Envoy versions prior to 1.18.4, update to version 1.18.4 or later. For Envoy versions prior to 1.19.1, update to version 1.19.1 or later. As a temporary workaround, consider restricting access to the ext-authz extension until a patch is applied.