CVE-2021-32777 in Envoyinfo

Summary

by MITRE • 08/25/2021

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HTTP spec. However, only the last header value is sent. This may allow specifically crafted requests to bypass authorization. Attackers may be able to escalate privileges when using ext-authz extension or back end service that uses multiple value headers for authorization. A specifically constructed request may be delivered by an untrusted downstream peer in the presence of ext-authz extension. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to the ext-authz extension to correctly merge multiple request header values, when sending request for authorization.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 08/29/2021

The vulnerability described in CVE-2021-32777 affects Envoy, a widely-used open source Layer 7 proxy and communication bus that serves as a critical component in modern service-oriented architectures. This security flaw specifically impacts the external authorization extension functionality within Envoy, which is designed to delegate authorization decisions to external services. The vulnerability manifests when the ext-authz extension processes HTTP requests containing multiple header values, creating a potential bypass mechanism for unauthorized access attempts. The issue represents a significant security concern given that Envoy is deployed across numerous enterprise environments and cloud-native infrastructures where proper authorization controls are essential for maintaining security boundaries.

The technical flaw lies in the improper handling of HTTP headers with multiple values during external authorization requests. According to HTTP specifications, when multiple headers with the same name exist in a request, they should be merged into a single header value using a comma-separated format. However, the vulnerable versions of Envoy's ext-authz extension only transmit the final header value from multi-value headers, effectively discarding all but the last value. This behavior creates a scenario where an attacker can craft requests that exploit this limitation to bypass authorization checks by manipulating header values in ways that would normally be properly handled by standard HTTP processing. The vulnerability specifically affects the communication between the proxy and external authorization services, where the authorization decision is based on complete header information.

The operational impact of this vulnerability extends beyond simple access control bypasses, potentially enabling privilege escalation attacks when the ext-authz extension is integrated with backend services that rely on multi-value headers for authorization decisions. Attackers can exploit this weakness by sending specifically crafted requests through untrusted downstream peers, leveraging the proxy's failure to properly merge header values. This creates a scenario where authorization decisions might be made based on incomplete header information, allowing malicious actors to craft requests that appear legitimate to the authorization service but contain manipulated header data that could be used to gain unauthorized access to protected resources. The vulnerability affects multiple versions of Envoy including 1.19.1, 1.18.4, 1.17.4, and 1.16.5, indicating it was present across several release lines and could have impacted a substantial number of deployments.

The fix implemented in the patched versions addresses the core issue by ensuring that the ext-authz extension correctly merges multiple header values according to HTTP specifications before forwarding requests to external authorization services. This correction aligns with industry standards such as CWE-1274, which addresses improper handling of HTTP headers, and follows ATT&CK framework techniques related to privilege escalation and evasion through header manipulation. Organizations using Envoy with ext-authz functionality should prioritize upgrading to the patched versions to mitigate this vulnerability, as the security implications extend beyond simple access control to potentially enable more sophisticated attacks that could compromise entire service architectures. The vulnerability demonstrates the importance of proper HTTP specification compliance in security-critical components and highlights the potential for seemingly minor implementation flaws to create significant security risks in complex proxy environments.

Responsible

GitHub, Inc.

Reservation

05/12/2021

Disclosure

08/25/2021

Moderation

accepted

CPE

ready

EPSS

0.03325

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!