Description
CNCF Envoy through 1.13.0 has incorrect Access Control when using SDS with Combined Validation Context. Using the same secret (e.g. trusted CA) across many resources together with the combined validation context could lead to the “static” part of the validation context to be not applied, even though it was visible in the active config dump.
References (3)
Core 3
Core References
Release Notes, Third Party Advisory x_refsource_confirm
https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history
Third Party Advisory x_refsource_misc
https://github.com/envoyproxy/envoy/security/advisories/GHSA-3x9m-pgmg-xpx8
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0734
Scores
CVSS v3
5.3
EPSS
0.0130
EPSS Percentile
66.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-287
Status
published
Products (1)
cncf/envoy
< 1.13.0
Published
Mar 04, 2020
Tracked Since
Feb 18, 2026