10

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-9901

GHSA ID

GHSA-2wmf-p7f8-w42h

EPSS Score

0.26782%

CWE

CWE-706

Published

5/24/2022

Updated

8/24/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-9901

CVE-2019-9901:
EnvoyProxy Envoy Missing HTTP URL path normalization

Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., something/../admin, to bypass access control, e.g., a block on /admin. A backend server could then interpret the non-normalized path and provide an attacker access beyond the scope provided for by the access control policy.

(GitHub Advisory)

10

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-9901

GHSA ID

GHSA-2wmf-p7f8-w42h

EPSS Score

0.26782%

CWE

CWE-706

Published

5/24/2022

Updated

8/24/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/envoyproxy/envoy	go	<= 1.9.0	1.9.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing path normalization in HTTP requests. The key function is HttpConnectionManagerConfig's constructor where the 'normalize_path_' configuration is determined. In versions <=1.9.0, this used a runtime feature check (disabled by default) rather than enforcing normalization. The patch changes this to use a compile-time flag (ENVOY_NORMALIZE_PATH_BY_DEFAULT) to enable normalization by default, confirming the original runtime-dependent logic was the vulnerable code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*nvoy *.*.* *n* ***or* *o*s not norm*liz* *TTP URL p*t*s. * r*mot* *tt**k*r m*y *r**t * r*l*tiv* p*t*, *.*., `som*t*in*/../**min`, to *yp*ss ****ss *ontrol, *.*., * *lo*k on `/**min`. * ***k*n* s*rv*r *oul* t**n int*rpr*t t** non-norm*liz** p*t* *n*

Reasoning

T** vuln*r**ility st*ms *rom missin* p*t* norm*liz*tion in *TTP r*qu*sts. T** k*y *un*tion is *ttp*onn**tionM*n***r*on*i*'s *onstru*tor w**r* t** 'norm*liz*_p*t*_' *on*i*ur*tion is **t*rmin**. In v*rsions <=*.*.*, t*is us** * runtim* ***tur* ****k (*

10

Basic Information

Concerned about an active attack path?

CVE-2019-9901: EnvoyProxy Envoy Missing HTTP URL path normalization

10

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2019-9901:
EnvoyProxy Envoy Missing HTTP URL path normalization

Vulnerability Intelligence
Miggo AI