Login Sign Up

CVE-2021-29492

8.1 HIGH
Authentication Bypass Path Traversal

📋 TL;DR

Envoy proxy versions 1.18.2 and earlier fail to decode escaped slash sequences (%2F and %5C) in HTTP URL paths, allowing attackers to bypass access controls like RBAC or JWT filters. This affects users whose backend servers treat escaped slashes as equivalent to regular slashes, potentially granting unauthorized access to restricted resources. The vulnerability enables privilege escalation when URL path-based access control is configured.

💻 Affected Systems

Products:
  • Envoy proxy
Versions: Versions 1.18.2 and earlier (1.18.x, 1.17.x, 1.16.x, 1.15.x)
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only impacts configurations using URL path-based access control (RBAC/JWT filters) with backend servers that treat %2F as / and %5C as \

📦 What is this software?

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete bypass of access controls allowing unauthorized access to administrative interfaces, sensitive data, or privileged functionality.

🟠

Likely Case

Partial bypass of access restrictions leading to unauthorized access to some protected resources or endpoints.

🟢

If Mitigated

No impact if backend servers don't treat escaped slashes as equivalent to regular slashes, or if additional access controls are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires crafting URLs with escaped slashes; exploit is straightforward once the vulnerability is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.18.3, 1.17.3, 1.16.4, 1.15.5

Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-4987-27fx-x6cf

Restart Required: Yes

Instructions:

1. Update Envoy to patched version. 2. Enable path normalization option to decode escaped slash characters. 3. Restart Envoy service.

🔧 Temporary Workarounds

Backend server configuration

all

Reconfigure backend servers to NOT treat %2F and / or %5C and \ interchangeably

🧯 If You Can't Patch

  • Implement additional access controls at backend server level
  • Use WAF or reverse proxy with proper path normalization before Envoy

🔍 How to Verify

Check if Vulnerable:

Check Envoy version and verify if using URL path-based access controls with vulnerable backend servers

Check Version:

envoy --version

Verify Fix Applied:

Verify Envoy version is patched and test with crafted URLs containing %2F and %5C sequences

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing %2F or %5C sequences in URL paths
  • Access to restricted endpoints from unexpected paths

Network Indicators:

  • HTTP traffic with encoded slash characters bypassing expected access patterns

SIEM Query:

http.url:*%2F* OR http.url:*%5C*

📊 Metadata

CVE ID: CVE-2021-29492
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: May 28, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29492, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)