CVE-2019-9901:
EnvoyProxy Envoy Missing HTTP URL path normalization
10
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.26782%
CWE
Published
5/24/2022
Updated
8/24/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/envoyproxy/envoy | go | <= 1.9.0 | 1.9.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing path normalization in HTTP requests. The key function is HttpConnectionManagerConfig's constructor where the 'normalize_path_' configuration is determined. In versions <=1.9.0, this used a runtime feature check (disabled by default) rather than enforcing normalization. The patch changes this to use a compile-time flag (ENVOY_NORMALIZE_PATH_BY_DEFAULT) to enable normalization by default, confirming the original runtime-dependent logic was the vulnerable code path.