Miggo Logo

CVE-2019-9901:
EnvoyProxy Envoy Missing HTTP URL path normalization

10

CVSS Score
3.0

Basic Information

EPSS Score
0.26782%
Published
5/24/2022
Updated
8/24/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/envoyproxy/envoygo<= 1.9.01.9.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing path normalization in HTTP requests. The key function is HttpConnectionManagerConfig's constructor where the 'normalize_path_' configuration is determined. In versions <=1.9.0, this used a runtime feature check (disabled by default) rather than enforcing normalization. The patch changes this to use a compile-time flag (ENVOY_NORMALIZE_PATH_BY_DEFAULT) to enable normalization by default, confirming the original runtime-dependent logic was the vulnerable code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*nvoy *.*.* *n* ***or* *o*s not norm*liz* *TTP URL p*t*s. * r*mot* *tt**k*r m*y *r**t * r*l*tiv* p*t*, *.*., `som*t*in*/../**min`, to *yp*ss ****ss *ontrol, *.*., * *lo*k on `/**min`. * ***k*n* s*rv*r *oul* t**n int*rpr*t t** non-norm*liz** p*t* *n*

Reasoning

T** vuln*r**ility st*ms *rom missin* p*t* norm*liz*tion in *TTP r*qu*sts. T** k*y *un*tion is *ttp*onn**tionM*n***r*on*i*'s *onstru*tor w**r* t** 'norm*liz*_p*t*_' *on*i*ur*tion is **t*rmin**. In v*rsions <=*.*.*, t*is us** * runtim* ***tur* ****k (*