Vulnerabilities > CVE-2020-11767

CVSS 3.1 - LOW

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

high complexity

istio

envoyproxy

NVD

Published: 2020-04-15

Updated: 2021-07-21

Summary

Istio through 1.5.1 and Envoy through 1.14.1 have a data-leak issue. If there is a TCP connection (negotiated with SNI over HTTPS) to *.example.com, a request for a domain concurrently configured explicitly (e.g., abc.example.com) is sent to the server(s) listening behind *.example.com. The outcome should instead be 421 Misdirected Request. Imagine a shared caching forward proxy re-using an HTTP/2 connection for a large subnet with many users. If a victim is interacting with abc.example.com, and a server (for abc.example.com) recycles the TCP connection to the forward proxy, the victim's browser may suddenly start sending sensitive data to a *.example.com server. This occurs because the forward proxy between the victim and the origin server reuses connections (which obeys the specification), but neither Istio nor Envoy corrects this by sending a 421 error. Similarly, this behavior voids the security model browsers have put in place between domains.

Vulnerable Configurations

Part	Description	Count
Application	Istio Istio Istio 0.1.0 Istio Istio 0.1.1 Istio Istio 0.1.2 Istio Istio 0.1.3 Istio Istio 0.1.4 Istio Istio 0.1.5 Istio Istio 0.1.6 Istio Istio 0.2 Istio Istio 0.2.0 Istio Istio 0.2.1 Istio Istio 0.2.2 Istio Istio 0.2.4 Istio Istio 0.2.6 Istio Istio 0.2.7 Istio Istio 0.2.9 Istio Istio 0.2.10 Istio Istio 0.2.11 Istio Istio 0.2.12 Istio Istio 0.3 Istio Istio 0.3.0 Istio Istio 0.4 Istio Istio 0.4.0 Istio Istio 0.5 Istio Istio 0.5.0 Istio Istio 0.5.1 Istio Istio 0.6 Istio Istio 0.6.0 Istio Istio 0.7 Istio Istio 0.7.0 Istio Istio 0.7.1 Istio Istio 0.8 Istio Istio 0.8.0 Istio Istio 1.0 Istio Istio 1.0.0 Istio Istio 1.0.1 Istio Istio 1.0.2 Istio Istio 1.0.3 Istio Istio 1.0.4 Istio Istio 1.0.5 Istio Istio 1.0.6 Istio Istio 1.0.7 Istio Istio 1.0.8 Istio Istio 1.0.9 Istio Istio 1.0.10 Istio Istio 1.1 Istio Istio 1.1.0 Istio Istio 1.1.1 Istio Istio 1.1.2 Istio Istio 1.1.3 Istio Istio 1.1.4 Istio Istio 1.1.5 Istio Istio 1.1.6 Istio Istio 1.1.7 Istio Istio 1.1.8 Istio Istio 1.1.9 Istio Istio 1.1.10 Istio Istio 1.1.11 Istio Istio 1.1.12 Istio Istio 1.1.13 Istio Istio 1.1.14 Istio Istio 1.1.15 Istio Istio 1.1.16 Istio Istio 1.1.17 Istio Istio 1.2.0 Istio Istio 1.2.1 Istio Istio 1.2.2 Istio Istio 1.2.3 Istio Istio 1.2.4 Istio Istio 1.2.5 Istio Istio 1.2.6 Istio Istio 1.2.7 Istio Istio 1.2.8 Istio Istio 1.2.9 Istio Istio 1.2.10 Istio Istio 1.3 Istio Istio 1.3.0 Istio Istio 1.3.1 Istio Istio 1.3.2 Istio Istio 1.3.3 Istio Istio 1.3.4 Istio Istio 1.3.5 Istio Istio 1.3.6 Istio Istio 1.3.7 Istio Istio 1.3.8 Istio Istio 1.4.0 Istio Istio 1.4.1 Istio Istio 1.4.2 Istio Istio 1.4.3 Istio Istio 1.4.4 Istio Istio 1.4.5 Istio Istio 1.4.6 Istio Istio 1.4.7 Istio Istio 1.4.8 Istio Istio 1.4.9 Istio Istio 1.4.10 Istio Istio 1.5.0 Istio Istio 1.5.1	135
Application	Envoyproxy Envoyproxy Envoy - Envoyproxy Envoy 1.0.0 Envoyproxy Envoy 1.1.0 Envoyproxy Envoy 1.2.0 Envoyproxy Envoy 1.3.0 Envoyproxy Envoy 1.4.0 Envoyproxy Envoy 1.5.0 Envoyproxy Envoy 1.6.0 Envoyproxy Envoy 1.7.0 Envoyproxy Envoy 1.7.1 Envoyproxy Envoy 1.8.0 Envoyproxy Envoy 1.9.0 Envoyproxy Envoy 1.9.1 Envoyproxy Envoy 1.10.0 Envoyproxy Envoy 1.11.0 Envoyproxy Envoy 1.11.1 Envoyproxy Envoy 1.11.2 Envoyproxy Envoy 1.12.0 Envoyproxy Envoy 1.12.1 Envoyproxy Envoy 1.12.2 Envoyproxy Envoy 1.12.3 Envoyproxy Envoy 1.12.4 Envoyproxy Envoy 1.12.5 Envoyproxy Envoy 1.12.6 Envoyproxy Envoy 1.12.7 Envoyproxy Envoy 1.13.0 Envoyproxy Envoy 1.13.1 Envoyproxy Envoy 1.13.2 Envoyproxy Envoy 1.13.3 Envoyproxy Envoy 1.13.4 Envoyproxy Envoy 1.13.5 Envoyproxy Envoy 1.13.6 Envoyproxy Envoy 1.13.7 Envoyproxy Envoy 1.13.8 Envoyproxy Envoy 1.14.0 Envoyproxy Envoy 1.14.1	36

Vulnerabilities > CVE-2020-11767 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2020-11767"}]}

Summary

Vulnerable Configurations

References

Vulnerabilities > CVE-2020-11767