CVE-2021-32779

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.16.5 Envoy versions 1.16.5 through 1.19.0 Envoy version 1.18.0 with path normalization=false

Description The issue arises from Envoy's incorrect handling of a URI '#fragment' element as part of the path element. This occurs when Envoy is configured with an RBAC filter for authorization or a similar mechanism with an explicit case of a final "/admin" path element, or when using a negative assertion with a final path element of "/admin". If a client sends a request to "/app1/admin#foo", Envoy may treat the fragment as a suffix of the query string or the path, leading to a mismatch with the configured "/admin" path element. This can result in the escalation of privileges when path-based request authorization extensions are used. The resulting URI may be sent to the next server-agent with the offending "#foo" fragment, violating RFC3986, or with the nonsensical "%23foo" text appended.

Recommendations For Envoy versions prior to 1.16.5, update to version 1.16.5 or later. For Envoy versions 1.16.5 through 1.19.0, update to version 1.19.1 or later. For Envoy version 1.18.0 with path normalization=false, update to version 1.18.4 or later, or set path normalization=true. As a temporary workaround, consider disabling the RBAC filter or similar authorization mechanisms until a patch is available. Restrict access to the /admin path element to minimize the risk of exploitation. Avoid using the #fragment element in URI requests to affected Envoy versions until the issue is resolved.