CVE-2023-27487

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.26.0 Envoy versions prior to 1.25.3 Envoy versions prior to 1.24.4 Envoy versions prior to 1.23.6 Envoy versions prior to 1.22.9

Description The issue is related to insufficient input validation when processing the x-envoy-original-path header, allowing attackers to bypass JSON Web Token (JWT) checks and forge fake original paths. This can lead to unauthorized access to protected information. The x-envoy-original-path header should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client. The faked header would then be used for trace logs and grpc logs, as well as used in the URL used for jwt authn checks if the jwt authn filter is used.

Recommendations For versions prior to 1.26.0, update to version 1.26.0 or later. For versions prior to 1.25.3, update to version 1.25.3 or later. For versions prior to 1.24.4, update to version 1.24.4 or later. For versions prior to 1.23.6, update to version 1.23.6 or later. For versions prior to 1.22.9, update to version 1.22.9 or later. As a temporary workaround, consider restricting the use of the x-envoy-original-path header to minimize the risk of exploitation.