Envoy Proxy Use of Incorrectly-Resolved Name or Reference Vulnerability - CVE-2019-9901 - Vulnerability Database

Envoy Proxy Use of Incorrectly-Resolved Name or Reference Vulnerability - CVE-2019-9901

Critical
Reference: CVE-2019-9901
Title: Envoy Proxy Use of Incorrectly-Resolved Name or Reference Vulnerability
Overview:

Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path e.g. something/../admin to bypass access control e.g. a block on /admin. A backend server could then interpret the non-normalized path and provide an attacker access beyond the scope provided for by the access control policy.