Fwd: Security advisory

Skip to first unread message

Snow Pettersen

May 27, 2021, 3:25:09 PM5/27/21
to envoy-secur...@googlegroups.com, envoy-a...@googlegroups.com

Hello Envoy Community,

The Envoy security team would like to announce a security advisory for a feature introduced in 1.18.0. As this is a security advisory for a feature not considered production ready that may have been labeled as such, no fix is provided and the advice is to not make use of this feature in a production capacity until future hardening has been done.

The ExtensionWithMatcher API introduced in 1.18.0 has a bug that results in the header value from one request being reused in subsequent requests. This results in the API not working as intended, and could possibly result in requests matching the wrong branch of the match tree.

A deployment that makes use of this API for access control might find that this allows bypassing this control.

The CVSS score for this is Low.

**Thank you**

Thank you to Dmitry Rozhkov for first reporting this.


Snow (on behalf of the Envoy security team and maintainers)

Reply all
Reply to author
0 new messages