CVE-2022-29226

EPSS 0.07%
Published 09.06.2022 20:15:08
Last modified 21.11.2024 06:58:45
Source security-advisories@github.com
Teams watchlist Login
Open Login

Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request. Users are advised to upgrade. There is no known workaround for this issue.

Affected products Warnungen 0 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Envoyproxy ≫ Envoy Version < 1.22.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.07%	0.21

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov	6.4	10	4.9	AV:N/AC:L/Au:N/C:P/I:P/A:N
security-advisories@github.com	10	3.9	5.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://github.com/envoyproxy/envoy/commit/7ffda4e809dec74449ebc330cebb9d2f4ab61360

Patch

Third Party Advisory

https://github.com/envoyproxy/envoy/security/advisories/GHSA-h45c-2f94-prxh

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-29226

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-29226

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-29226

EUVD