CVE-2022-29226

Trivial authentication bypass in Envoy

CVSS 10 CRITICALEPSS 1.2%CWE-306

In short

Envoy's OAuth filter fails to validate access tokens, allowing attackers to bypass authentication by simply attaching any access token to their request. This is critical because it completely breaks the security of OAuth-protected services.

Technical detail

The OAuth filter implementation lacks access token validation logic (CWE-306: Missing Authentication). When the HMAC-signed cookie is absent, the filter incorrectly assumes token validity instead of triggering re-authentication, allowing any request bearing an arbitrary access token to gain unauthorized access. Pre-condition: attacker must craft a request with a malformed or arbitrary access token; impact is complete authentication bypass affecting all OAuth-protected endpoints.

Summary generated and translated by AI from the official description.

Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request. Users are advised to upgrade. There is no known workaround for this issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Affected products

envoyproxy · envoy

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/envoyproxy/envoy/commit/7ffda4e809dec74449ebc330cebb9d2f4ab61360 https://github.com/envoyproxy/envoy/security/advisories/GHSA-h45c-2f94-prxh