CVE-2021-32777

HIGH

Envoy 1.16.0-1.16.4 - Authorization Bypass via Ext-Authz Header Merging

Title source: llm

Description

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HTTP spec. However, only the last header value is sent. This may allow specifically crafted requests to bypass authorization. Attackers may be able to escalate privileges when using ext-authz extension or back end service that uses multiple value headers for authorization. A specifically constructed request may be delivered by an untrusted downstream peer in the presence of ext-authz extension. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to the ext-authz extension to correctly merge multiple request header values, when sending request for authorization.

References (2)

Core 2

Core References

Third Party Advisory x_refsource_confirm

https://github.com/envoyproxy/envoy/security/advisories/GHSA-6g4j-5vrw-2m8h

Release Notes, Vendor Advisory x_refsource_misc

https://www.envoyproxy.io/docs/envoy/v1.19.0/version_history/version_history

Scores

CVSS v3 8.6

EPSS 0.0333

EPSS Percentile 87.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Details

CWE

CWE-551 CWE-863

Status published

Products (2)

envoyproxy/envoy 1.19.0

envoyproxy/envoy 1.16.0 - 1.16.5

Published Aug 24, 2021

Tracked Since Feb 18, 2026