Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2023-27493
Summary
Envoy is an open source edge and service proxy designed for cloud-native applications. In versions prior to 1.22.9, 1.23.x prior to 1.23.6, 1.24.x prior to 1.24.4, 1.25.x prior to 1.25.3, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case, it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoy's security policy. As a workaround, disable adding request headers based on the downstream request properties, such as downstream certificate properties.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-444 - HTTP Request Smuggling
Entities such as web servers, web caching proxies, and application firewalls could parse HTTP requests differently. When there are two or more such entities in the path of an HTTP request, an attacker can send a specially crafted HTTP request that is seen as two different sets of requests by the attacked devices, allowing the attacker to smuggle a request into one device without the other device being aware of it. Such a vulnerability can prove devastating, for it enables further attacks on the application, like web cache poisoning, session hijacking, cross-site scripting, security bypassing, and sensitive information exposure.
References
Advisory Timeline
- Published
