Login Sign Up

CVE-2021-32779

8.6 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Envoy proxy allows attackers to bypass path-based authorization controls by including URI fragments (#fragment) in requests. It affects Envoy deployments using RBAC filters or similar authorization mechanisms with path-based rules. Attackers can escalate privileges by accessing restricted endpoints.

💻 Affected Systems

Products:
  • Envoy Proxy
Versions: All versions prior to 1.19.1, 1.18.4, 1.17.4, 1.16.5
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using path-based authorization (RBAC filters) and path_normalization=false in Envoy 1.18.0+

📦 What is this software?

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authorization bypass allowing unauthorized access to administrative endpoints, potentially leading to data exposure, service disruption, or further compromise.

🟠

Likely Case

Partial authorization bypass allowing access to some restricted endpoints based on path matching rules.

🟢

If Mitigated

No impact if proper network segmentation, additional authentication layers, or updated versions are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted URIs with fragments to bypass path matching

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.19.1, 1.18.4, 1.17.4, 1.16.5

Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-r222-74fw-jqr9

Restart Required: Yes

Instructions:

1. Identify Envoy version. 2. Upgrade to patched version. 3. Restart Envoy service. 4. Verify fragment handling is removed from path processing.

🔧 Temporary Workarounds

Enable path normalization

all

Set path_normalization=true in Envoy 1.18.0+ configurations

Set 'path_normalization: true' in Envoy configuration

WAF fragment filtering

all

Configure WAF to block or sanitize URI fragments

🧯 If You Can't Patch

  • Implement additional authentication/authorization layers beyond path-based rules
  • Use network segmentation to isolate Envoy instances from sensitive backend services

🔍 How to Verify

Check if Vulnerable:

Check Envoy version and configuration for path-based authorization with path_normalization=false (if 1.18.0+)

Check Version:

envoy --version

Verify Fix Applied:

Test with requests containing fragments to ensure they're properly rejected or normalized

📡 Detection & Monitoring

Log Indicators:

  • Requests with # fragments in URI paths
  • Authorization failures followed by successful access

Network Indicators:

  • HTTP requests containing # in path segments
  • Unusual access patterns to admin endpoints

SIEM Query:

http.uri contains "#" AND (http.status_code=200 OR http.status_code=302) AND NOT http.uri contains "?"

📊 Metadata

CVE ID: CVE-2021-32779
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CWE: CWE-551
Published: August 24, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32779, you might also want to check these:

CVE-2023-23924 10.0

Dompdf 2.0.1 has an SVG parsing vulnerability where URI validation can be bypassed using uppercase l...

Same vulnerability type (CWE-551)
CVE-2021-32777 8.6

Envoy's ext-authz extension fails to properly merge multiple-value headers when sending requests to ...

Same vulnerability type (CWE-551)
CVE-2023-6394 7.4

CVE-2023-6394 is an authentication bypass vulnerability in Quarkus where GraphQL operations over Web...

Same vulnerability type (CWE-551)