PT-2021-23114 · Google · Extensible Service Proxy
Qiwzhang
·
Published
2021-10-07
·
Updated
2021-10-18
·
CVE-2021-41130
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Extensible Service Proxy (ESP) versions prior to 1.58.0
Description
The Extensible Service Proxy (ESP) is a proxy that enables API management capabilities for JSON/REST or gRPC API services. It can be configured to authenticate a JWT token, and the verified JWT claim is passed to the application by the HTTP header "X-Endpoint-API-UserInfo". However, if there are two "X-Endpoint-API-UserInfo" headers from the client, ESP only replaces the first one, and the second one will be passed to the application. An attacker can send two "X-Endpoint-API-UserInfo" headers, with the second one containing a fake JWT claim, which the application may use for authorization. This issue impacts ESP usages where users have configured ESP to do JWT authentication with Google ID Token, and the backend application uses the info in the "X-Endpoint-API-UserInfo" header for authorization.
Recommendations
- If your docker image is using tag ":1", re-start the container to pick up the new version, as the tag ":1" will automatically point to the latest version.
- If your docker image tag points to a specific minor version, e.g., ":1.57", update it to ":1.58" and re-start the container. Note: There are no workarounds for this issue.
Fix
Authentication Bypass by Spoofing
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Extensible Service Proxy