CVE-2021-29492 Overview
CVE-2021-29492 is a path traversal vulnerability in Envoy, a cloud-native edge/middle/service proxy. The vulnerability exists because Envoy does not decode escaped slash sequences %2F and %5C in HTTP URL paths in versions 1.18.2 and earlier. A remote attacker can craft a path with escaped slashes, such as /something%2F..%2Fadmin, to bypass access control mechanisms that block paths like /admin. When backend servers decode these slash sequences and normalize the path, attackers can gain unauthorized access beyond what is permitted by the configured access control policy.
Critical Impact
This vulnerability enables privilege escalation when using RBAC or JWT filters with URL path-based enforcement. Organizations with backend servers that interpret %2F and / or %5C and \\ interchangeably are at risk of unauthorized access to protected resources.
Affected Products
- Envoy versions prior to 1.18.3
- Envoy versions prior to 1.17.3
- Envoy versions prior to 1.16.4
- Envoy versions prior to 1.15.5
Discovery Timeline
- 2021-05-28 - CVE-2021-29492 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-29492
Vulnerability Analysis
This path traversal vulnerability (CWE-22) stems from a discrepancy in how Envoy and backend servers handle URL-encoded characters. The vulnerability is network-accessible without requiring authentication or user interaction, and it can affect resources beyond the vulnerable component's security scope.
When Envoy receives an HTTP request, it evaluates access control rules against the URL path. However, Envoy's path matching logic does not decode percent-encoded slash characters (%2F for / and %5C for \) before evaluation. This creates a security gap when backend servers do decode these sequences, effectively allowing attackers to bypass Envoy's access control layer.
The impact is particularly severe in environments using Role-Based Access Control (RBAC) or JWT filters for path-based authorization. An attacker can craft requests that appear benign to Envoy's access control evaluation but resolve to restricted paths when processed by the backend.
Root Cause
The root cause is improper input validation in Envoy's URL path handling logic. Envoy fails to normalize URL-encoded slash sequences before applying access control rules. This inconsistency between Envoy's path evaluation and backend server path interpretation creates a security bypass condition.
The vulnerability specifically occurs because:
- Envoy evaluates access control rules on the raw, encoded URL path
- Backend servers decode %2F to / and %5C to \
- The decoded path may traverse directory boundaries or access restricted resources
Attack Vector
The attack vector involves crafting HTTP requests with URL-encoded path traversal sequences. An attacker sends requests through Envoy with paths containing %2F (encoded forward slash) or %5C (encoded backslash) characters embedded within path traversal patterns.
For example, if Envoy is configured to block access to /admin, an attacker could send a request to /something%2F..%2Fadmin. Envoy's access control check sees this as a request to a path starting with /something, which may be permitted. However, when the backend server decodes the URL, it interprets the path as /something/../admin, which normalizes to /admin, granting the attacker access to the protected resource.
This attack requires no authentication and can be executed remotely over the network. The impact extends to confidentiality, integrity, and availability of resources protected by Envoy's access control mechanisms.
Detection Methods for CVE-2021-29492
Indicators of Compromise
- HTTP requests containing %2F or %5C sequences followed by .. patterns in URL paths
- Unusual access to administrative or restricted endpoints from unexpected source paths
- Log entries showing path-based access control decisions that don't match actual backend resource access
- Multiple requests probing various encoded path combinations targeting sensitive endpoints
Detection Strategies
- Implement web application firewall rules to detect and alert on URL-encoded path traversal sequences like %2F..%2F or %5C..%5C
- Enable detailed access logging on both Envoy and backend servers to correlate requested paths with actual resource access
- Deploy intrusion detection rules that identify path traversal attempts using percent-encoded characters
- Monitor for authentication bypass attempts by comparing Envoy access decisions against backend access logs
Monitoring Recommendations
- Configure Envoy access logs to capture full request URIs including encoded characters for forensic analysis
- Establish baseline metrics for access to sensitive endpoints and alert on anomalous access patterns
- Implement real-time log correlation between Envoy and backend servers to detect path interpretation discrepancies
- Set up alerts for requests containing suspicious URL encoding patterns targeting known restricted paths
How to Mitigate CVE-2021-29492
Immediate Actions Required
- Upgrade Envoy to patched versions: 1.18.3, 1.17.3, 1.16.4, or 1.15.5 depending on your current version branch
- Enable the new path normalization option to decode escaped slash characters introduced in the patched versions
- Audit current access control configurations to identify paths that may be vulnerable to bypass
- Review backend server configurations to understand how they handle URL-encoded characters
Patch Information
Patches are available in Envoy versions 1.18.3, 1.17.3, 1.16.4, and 1.15.5. These patches introduce a new path normalization option that decodes escaped slash characters before access control evaluation. Refer to the Envoy Security Advisory GHSA-4987-27fx-x6cf for detailed patch information and upgrade instructions.
Workarounds
- If patching is not immediately possible, reconfigure backend servers to not treat %2F and / or %5C and \ interchangeably
- Implement additional access control at the backend server level that validates decoded paths
- Deploy a web application firewall in front of Envoy to normalize URL encoding before requests reach Envoy
- Review and strengthen path-based access control rules to account for potential encoding variations
# Example: Enable path normalization in Envoy configuration
# Add to route configuration to enable escaped slash decoding
# Consult Envoy documentation for your specific version
normalize_path: true
merge_slashes: true
path_with_escaped_slashes_action: UNESCAPE_AND_FORWARD
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
