CVE-2022-29226

Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request. Users are advised to upgrade. There is no known workaround for this issue.
Configurations

Configuration 1 (hide)

cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:58

Type Values Removed Values Added
CVSS v2 : 6.4
v3 : 9.1
v2 : 6.4
v3 : 10.0
References () https://github.com/envoyproxy/envoy/commit/7ffda4e809dec74449ebc330cebb9d2f4ab61360 - Patch, Third Party Advisory () https://github.com/envoyproxy/envoy/commit/7ffda4e809dec74449ebc330cebb9d2f4ab61360 - Patch, Third Party Advisory
References () https://github.com/envoyproxy/envoy/security/advisories/GHSA-h45c-2f94-prxh - Third Party Advisory () https://github.com/envoyproxy/envoy/security/advisories/GHSA-h45c-2f94-prxh - Third Party Advisory

16 Jun 2022, 18:44

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : 6.4
v3 : 9.1
References (MISC) https://github.com/envoyproxy/envoy/commit/7ffda4e809dec74449ebc330cebb9d2f4ab61360 - (MISC) https://github.com/envoyproxy/envoy/commit/7ffda4e809dec74449ebc330cebb9d2f4ab61360 - Patch, Third Party Advisory
References (CONFIRM) https://github.com/envoyproxy/envoy/security/advisories/GHSA-h45c-2f94-prxh - (CONFIRM) https://github.com/envoyproxy/envoy/security/advisories/GHSA-h45c-2f94-prxh - Third Party Advisory
CPE cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*

09 Jun 2022, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-06-09 20:15

Updated : 2024-11-21 06:58


NVD link : CVE-2022-29226

Mitre link : CVE-2022-29226

CVE.ORG link : CVE-2022-29226


JSON object : View

Products Affected

envoyproxy

  • envoy
CWE
CWE-306

Missing Authentication for Critical Function