Envoy Proxy Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Vulnerability - CVE-2021-29492

Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences 2F and 5C in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes e.g. /something2F..2Fadmin to bypass access control e.g. a block on /admin. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy. Impact Escalation of Privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret 2F and / and 5C and interchangeably are impacted. Attack Vector URL paths containing escaped slash characters delivered by untrusted client. Patches in versions 1.18.3 1.17.3 1.16.4 1.15.5 contain new path normalization option to decode escaped slash characters. As a workaround if back end servers treat 2F and / and 5C and interchangeably and a URL path based access control is configured one may reconfigure the back end server to not treat 2F and / and 5C and interchangeably.