CVE-2022-29226

EPSS 0.07%
Veröffentlicht 09.06.2022 20:15:08
Zuletzt bearbeitet 21.11.2024 06:58:45
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request. Users are advised to upgrade. There is no known workaround for this issue.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Envoyproxy ≫ Envoy Version < 1.22.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.21

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov	6.4	10	4.9	AV:N/AC:L/Au:N/C:P/I:P/A:N
security-advisories@github.com	10	3.9	5.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://github.com/envoyproxy/envoy/commit/7ffda4e809dec74449ebc330cebb9d2f4ab61360

Patch

Third Party Advisory

https://github.com/envoyproxy/envoy/security/advisories/GHSA-h45c-2f94-prxh

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-29226

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-29226

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-29226

EUVD