CVE-2019-9901

MEDIUM

Envoy <1.9.0 - SSRF

Title source: llm

Description

Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., something/../admin, to bypass access control, e.g., a block on /admin. A backend server could then interpret the non-normalized path and provide an attacker access beyond the scope provided for by the access control policy.

References (4)

[Release Notes, Vendor Advisory] https://www.envoyproxy.io/docs/envoy/v1.9.1/intro/version_history

[Issue Tracking, Mitigation, Third Party Advisory] https://github.com/envoyproxy/envoy/issues/6435

[Mailing List] https://groups.google.com/forum/#%21topic/envoy-announce/VoHfnDqZiAM

[Vendor Advisory] https://github.com/envoyproxy/envoy/security/advisories/GHSA-xcx5-93pw-jw2w

Scores

CVSS v3 6.5

EPSS 0.0009

EPSS Percentile 25.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

Details

CWE

CWE-706

Status published

Products (2)

envoyproxy/envoy < 1.9.0

envoyproxy/envoy 0 - 1.9.1Go

Published Apr 25, 2019

Tracked Since Feb 18, 2026