CVE-2023-30845
📋 TL;DR
CVE-2023-30845 is an authentication bypass vulnerability in ESPv2 service proxy versions 2.20.0 through 2.42.0. Attackers can craft malicious X-HTTP-Method-Override header values to bypass JWT authentication when targeting HTTP methods not defined in the API service specification. Organizations using affected ESPv2 versions for API management with JWT authentication are vulnerable.
💻 Affected Systems
- ESPv2 (Google Cloud Endpoints Service Proxy V2)
📦 What is this software?
Espv2 by Google
⚠️ Risk & Real-World Impact
Worst Case
Unauthenticated attackers gain full access to backend APIs protected only by JWT authentication, potentially leading to data exfiltration, unauthorized modifications, or service disruption.
Likely Case
Attackers bypass authentication to access sensitive API endpoints, potentially exposing confidential data or performing unauthorized operations.
If Mitigated
If API keys are used alongside JWT or if affected endpoints have additional authorization layers, impact is reduced to partial access or no access.
🎯 Exploit Status
Exploitation requires crafting HTTP requests with specific header manipulation but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.43.0 or higher
Vendor Advisory: https://github.com/GoogleCloudPlatform/esp-v2/security/advisories/GHSA-6qmp-9p95-fc5f
Restart Required: Yes
Instructions:
1. Update ESPv2 deployment to version 2.43.0 or higher. 2. Restart ESPv2 services. 3. Verify the update using version check commands.
🔧 Temporary Workarounds
Disable X-HTTP-Method-Override header
allConfigure ESPv2 to reject or ignore X-HTTP-Method-Override headers at the load balancer or proxy level.
# Configure your load balancer/proxy to strip X-HTTP-Method-Override headers
# Example for nginx: proxy_set_header X-HTTP-Method-Override "";
Enforce API key authentication
allRequire API keys for all endpoints in addition to or instead of JWT authentication.
# Update OpenAPI spec or gRPC annotations to require API keys
# Example: securityDefinitions: api_key: type: apiKey, name: key, in: query
🧯 If You Can't Patch
- Implement network-level controls to block or sanitize X-HTTP-Method-Override headers before they reach ESPv2.
- Enable comprehensive logging and monitoring for authentication bypass attempts and review logs regularly.
🔍 How to Verify
Check if Vulnerable:
Check ESPv2 version. If between 2.20.0 and 2.42.0 and using JWT authentication, the system is vulnerable.Check Version:
kubectl get deployment <espv2-deployment> -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -o ':[0-9.]*'Verify Fix Applied:
Confirm ESPv2 version is 2.43.0 or higher and test that JWT authentication is enforced even with X-HTTP-Method-Override headers.📡 Detection & Monitoring
Log Indicators:
- Requests with X-HTTP-Method-Override headers targeting undefined HTTP methods
- Successful API calls without valid JWT tokens in authentication logs
Network Indicators:
- HTTP requests containing X-HTTP-Method-Override headers with unusual values
- Traffic patterns showing authentication bypass attempts
SIEM Query:
source="espv2" AND (header="X-HTTP-Method-Override" OR auth_status="bypass")🔗 References
- https://github.com/GoogleCloudPlatform/esp-v2/commit/0bcdfc024ce96b34db4e1b4f2211b509d9be93cd
- https://github.com/GoogleCloudPlatform/esp-v2/commit/e95670146f5e96bb5565b0a9c1e153886b3e04ce
- https://github.com/GoogleCloudPlatform/esp-v2/commit/e98061ee4527a564506ba4e814c0ecf324dc2c6f
- https://github.com/GoogleCloudPlatform/esp-v2/security/advisories/GHSA-6qmp-9p95-fc5f
- https://github.com/GoogleCloudPlatform/esp-v2/commit/0bcdfc024ce96b34db4e1b4f2211b509d9be93cd
- https://github.com/GoogleCloudPlatform/esp-v2/commit/e95670146f5e96bb5565b0a9c1e153886b3e04ce
- https://github.com/GoogleCloudPlatform/esp-v2/commit/e98061ee4527a564506ba4e814c0ecf324dc2c6f
- https://github.com/GoogleCloudPlatform/esp-v2/security/advisories/GHSA-6qmp-9p95-fc5f
