Base Score

CRITICAL10

CVE-2019-9901

Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., something/../admin, to bypass access control, e.g., a block on /admin. A backend server could then interpret the non-normalized path and provide an attacker access beyond the scope provided for by the access control policy.

VectorNETWORK

Published Bycve@mitre.org

Published DateApr 25, 2019, 16:29

Affected Versions(1)

github.com/envoyproxy/envoy(Go)

Introduced0

Fixed1.9.1

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
github.com/envoyproxy/envoy(Go)	0	1.9.1	N/A

Weakness Type (CWE):CWE-706

CVSS Metrics

Base Score

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Base Severity

CRITICAL

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

Base Score

CRITICAL10

Weakness Type (CWE):CWE-706

CVSS Metrics

Base Score

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Base Severity

CRITICAL

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH