CVE-2021-32779 in Envoy
Summary
by MITRE • 08/25/2021
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy incorrectly handled a URI '#fragment' element as part of the path element. Envoy is configured with an RBAC filter for authorization or similar mechanism with an explicit case of a final "/admin" path element, or is using a negative assertion with final path element of "/admin". The client sends request to "/app1/admin#foo". In Envoy prior to 1.18.0, or 1.18.0+ configured with path_normalization=false. Envoy treats fragment as a suffix of the query string when present, or as a suffix of the path when query string is absent, so it evaluates the final path element as "/admin#foo" and mismatches with the configured "/admin" path element. In Envoy 1.18.0+ configured with path_normalization=true. Envoy transforms this to /app1/admin%23foo and mismatches with the configured /admin prefix. The resulting URI is sent to the next server-agent with the offending "#foo" fragment which violates RFC3986 or with the nonsensical "%23foo" text appended. A specifically constructed request with URI containing '#fragment' element delivered by an untrusted client in the presence of path based request authorization resulting in escalation of Privileges when path based request authorization extensions. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes that removes fragment from URI path in incoming requests.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/29/2021
The vulnerability CVE-2021-32779 affects Envoy, a widely-used open source Layer 7 proxy and communication bus designed for modern service-oriented architectures. This security flaw stems from Envoy's improper handling of URI fragment elements within the path component, creating a critical authorization bypass opportunity. The issue manifests when Envoy processes requests containing fragment identifiers that are incorrectly interpreted as part of the path rather than as separate URI components. The vulnerability specifically impacts configurations utilizing Role-Based Access Control (RBAC) filters or similar authorization mechanisms where explicit path assertions are made against final path elements such as "/admin". When a client sends a request to "/app1/admin#foo", the proxy's incorrect interpretation of the fragment causes authorization checks to fail, potentially allowing unauthorized access to protected administrative resources.
The technical implementation of this vulnerability involves Envoy's path normalization behavior across different versions. In versions prior to 1.18.0, or when configured with path_normalization=false, Envoy treats fragments as suffixes of the query string when present, or as suffixes of the path when no query string exists. This causes the path evaluation to consider "/admin#foo" rather than the expected "/admin", leading to authorization mismatches. In Envoy 1.18.0+ with path_normalization=true, the system transforms the URI to "/app1/admin%23foo" which also fails to match the configured authorization rules. Both scenarios result in malformed URIs being forwarded to downstream servers, violating RFC 3986 standards for URI syntax and potentially exposing sensitive endpoints. This represents a direct violation of CWE-20, "Improper Input Validation," and falls under the ATT&CK technique T1078.101, "Valid Accounts: Default Accounts," as it enables privilege escalation through improper access control.
The operational impact of this vulnerability extends beyond simple authorization bypass to create potential security escalation paths within service-oriented architectures. When path-based authorization mechanisms are in place, attackers can exploit this flaw to gain access to administrative interfaces by crafting requests with fragment identifiers that circumvent access controls. The vulnerability affects multiple Envoy versions including 1.19.1, 1.18.4, 1.17.4, and 1.16.5, with the fixes addressing the core issue by removing fragment elements from URI paths in incoming requests. Organizations deploying Envoy in production environments must urgently upgrade to patched versions to prevent potential exploitation, as the vulnerability directly undermines the security controls that protect sensitive administrative endpoints. The fix ensures proper URI handling that aligns with RFC 3986 standards, preventing fragments from being incorrectly processed as part of the path component and maintaining the integrity of authorization mechanisms that depend on precise path matching. This vulnerability demonstrates the critical importance of proper URI parsing and normalization in proxy implementations where access control decisions are made based on path components.