Skip to content

Envoy forwards invalid HTTP/2 and HTTP/3 downstream headers

Moderate
phlax published GHSA-5jmv-cw9p-f9rp Apr 4, 2023

Package

Envoy (Envoy)

Affected versions

< 1.26.0

Patched versions

1.25.3, 1.24.4, 1.23.6, 1.22.9

Description

Impact

Compliant HTTP/1 service should reject malformed request lines.

There is a possibility that non compliant HTTP/1 service may allow malformed requests, potentially leading to a bypass of security policies.

Affected components

HTTP2/HTTP3.

Attack vector/s

Attackers can send specifically crafted HTTP/2 or HTTP/3 requests to trigger parsing errors on HTTP/1 upstream service.

Description

Envoy does not reject HTTP/2 and HTTP/3 requests with the :method value which is not a valid token defined in https://www.rfc-editor.org/rfc/rfc9110#section-5.6.2.

In addition to the above, based on https://datatracker.ietf.org/doc/html/rfc9113#section-8.3 and https://datatracker.ietf.org/doc/html/rfc9114#section-4.3.1, HTTP/2 and HTTP/3 requests MUST include exactly one value for the :method, :scheme, and :path pseudo-header fields, unless the request is a CONNECT request which may omit :scheme and :path.

Allowing invalid characters in pseudo headers can result in sending an invalid request line when proxying from HTTP/2 or HTTP/3 client to HTTP/1 upstream service.

Example exploit or proof-of-concept

Send an HTTP/2 or HTTP/3 request with invalid :method header such as :method: GET /admin.

Detection

Upstream service receives unexpected privileged requests from Envoy.

Discoverer(s)/Credits

Martin van Kervel Smedshammer mvsmedsh@ifi.uio.no

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVE ID

CVE-2023-27491

Weaknesses

Credits