CVE-2022-21656

Name of the Vulnerable Software and Affected Versions Envoy (affected versions not specified)

Description The issue is related to a "type confusion" bug in the default certificate validation routines when processing subjectAltNames. This allows, for example, an rfc822Name or uniformResourceIndicator to be authenticated as a domain name, enabling the bypassing of nameConstraints as processed by the underlying OpenSSL/BoringSSL implementation. As a result, Envoy will trust upstream certificates that should not be trusted, exposing the possibility of impersonation of arbitrary servers.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.