CVE-2021-36371

Name of the Vulnerable Software and Affected Versions Emissary-Ingress (formerly Ambassador API Gateway) versions 1.13.9 and earlier

Description The issue allows attackers to bypass client certificate requirements on backend upstreams when more than one TLSContext is defined and at least one configuration exists that does not require client certificate authentication. The attacker must send an SNI specifying an unprotected backend and an HTTP Host header specifying a protected backend.

Recommendations For Emissary-Ingress (formerly Ambassador API Gateway) versions 1.13.9 and earlier, consider updating to a version where this issue is fixed, or apply configuration changes to ensure that all TLSContext definitions require client certificate authentication. As a temporary workaround, consider restricting access to backend upstreams that do not require client certificate authentication to minimize the risk of exploitation.