Envoy client may fake the header `x-envoy-original-path`
CVE-2023-27487

8.2HIGH

Key Information:

Vendor: Envoyproxy
Status: Envoy
Vendor: CVE Published:; 4 April 2023

What is CVE-2023-27487?

The Envoy Proxy has a security vulnerability that allows an untrusted client to bypass JSON Web Token (JWT) checks by forging the internal header x-envoy-original-path. This vulnerability arises because Envoy does not strip the header at the start of request processing, leading to potential misuse in trace and gRPC logs, as well as affecting JWT authentication if the jwt_authn filter is employed. Patches have been released in versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 to address this issue.

Affected Version(s)

envoy >= 1.25.0, <1.25.3 < 1.25.0, 1.25.3

envoy >= 1.24.0, < 1.24.4 < 1.24.0, 1.24.4

envoy >= 1.23.0, < 1.23.6 < 1.23.0, 1.23.6

References

https://github.com/envoyproxy/envoy/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 4, 2023
Vulnerability Reserved
Mar 1, 2023

CVE-2023-27487 Data

JSON

Envoyproxy

What is CVE-2023-27487?

Affected Version(s)

References

CVSS V3.1

Timeline