CVE-2022-29226

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.22.1

Description The OAuth filter implementation in Envoy does not include a mechanism for validating access tokens. By design, when the HMAC signed cookie is missing, a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated, thus allowing access in the presence of any access token attached to the request.

Recommendations For versions prior to 1.22.1, upgrade to version 1.22.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the OAuth filter implementation until a patch is available.