CVE Vulnerabilities

CVE-2019-9900

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Published: Apr 25, 2019 | Modified: Nov 07, 2023
CVSS 3.x
8.3
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
8.3 IMPORTANT
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Ubuntu

When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources.

Weakness

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Software

Name Vendor Start Version End Version
Envoy Envoyproxy * 1.9.0 (including)
OpenShift Service Mesh Tech Preview RedHat servicemesh-proxy-0:0.9.1-1.el7 *

Potential Mitigations

References