Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., something/../admin, to bypass access control, e.g., a block on /admin. A backend server could then interpret the non-normalized path and provide an attacker access beyond the scope provided for by the access control policy.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-04-25T15:31:19

Updated: 2024-08-04T22:01:55.179Z

Reserved: 2019-03-21T00:00:00

Link: CVE-2019-9901

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-04-25T16:29:01.200

Modified: 2024-11-21T04:52:32.450

Link: CVE-2019-9901

cve-icon Redhat

Severity : Important

Publid Date: 2019-04-05T00:00:00Z

Links: CVE-2019-9901 - Bugzilla