Description
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request. Users are advised to upgrade. There is no known workaround for this issue.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/envoyproxy/envoy/commit/7ffda4e809dec74449ebc330cebb9d2f4ab61360
Third Party Advisory x_refsource_confirm
https://github.com/envoyproxy/envoy/security/advisories/GHSA-h45c-2f94-prxh
Scores
CVSS v3
10.0
EPSS
0.0008
EPSS Percentile
24.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-306
Status
published
Products (1)
envoyproxy/envoy
< 1.22.1
Published
Jun 09, 2022
Tracked Since
Feb 18, 2026