CVE-2022-21656

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-21656

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-21656.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-21656

Aliases

BIT-envoy-2022-21656
GHSA-c9g7-xwcv-pjx2

Published

2022-02-22T22:25:11Z

Modified

2025-11-28T03:17:28.265306Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

X.509 subjectAltName matching bypass in Envoy

Details

Envoy is an open source edge and service proxy, designed for cloud-native applications. The default_validator.cc implementation used to implement the default certificate validation routines has a "type confusion" bug when processing subjectAltNames. This processing allows, for example, an rfc822Name or uniformResourceIndicator to be authenticated as a domain name. This confusion allows for the bypassing of nameConstraints, as processed by the underlying OpenSSL/BoringSSL implementation, exposing the possibility of impersonation of arbitrary servers. As a result Envoy will trust upstream certificates that should not be trusted.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/21xxx/CVE-2022-21656.json",
    "cwe_ids": [
        "CWE-295"
    ]
}

References

Affected packages

Git / github.com/envoyproxy/envoy

Affected ranges

Type: GIT
Repo: https://github.com/envoyproxy/envoy
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4aaf9593152c6996b9da384c8918e9ad4f0abd4d

Affected versions

v1.*

v1.0.0

v1.1.0

v1.10.0

v1.11.0

v1.12.0

v1.13.0

v1.14.0

v1.15.0

v1.16.0

v1.17.0

v1.18.0

v1.18.1

v1.18.2

v1.19.0

v1.2.0

v1.20.0

v1.20.1

v1.3.0

v1.4.0

v1.5.0

v1.6.0

v1.7.0

v1.8.0

v1.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-21656.json"

vanir_signatures

[
    {
        "signature_type": "Function",
        "id": "CVE-2022-21656-750e7fbb",
        "source": "https://github.com/envoyproxy/envoy/commit/4aaf9593152c6996b9da384c8918e9ad4f0abd4d",
        "target": {
            "file": "source/common/conn_pool/conn_pool_base.cc",
            "function": "ConnPoolImplBase::checkForIdleAndCloseIdleConnsIfDraining"
        },
        "digest": {
            "length": 338.0,
            "function_hash": "43013079311173114698727080572662162328"
        },
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "id": "CVE-2022-21656-75516c6f",
        "source": "https://github.com/envoyproxy/envoy/commit/4aaf9593152c6996b9da384c8918e9ad4f0abd4d",
        "target": {
            "file": "source/common/conn_pool/conn_pool_base.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "238363169343804913942300291017684487943",
                "281075802092293195505541183629950851527",
                "190309091056183134939303314630437286332",
                "1336839216182560585869212455485126136",
                "91854374677920975889051724337189261314",
                "176073550574850004587196271703191506168",
                "54303611712421497849276770032572170236",
                "89596254872871249889385232134194772639",
                "232868586170569298338666905475474416875",
                "68418232771506422252069681807775341343"
            ]
        },
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "id": "CVE-2022-21656-bf50e605",
        "source": "https://github.com/envoyproxy/envoy/commit/4aaf9593152c6996b9da384c8918e9ad4f0abd4d",
        "target": {
            "file": "test/integration/cds_integration_test.cc"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "97652407307682118633090827808836069896",
                "202222073443799289957911450767890213833",
                "115564202354952612799820744008677299818",
                "100865938374520508671052066897428637482",
                "266358857140130331037141171435995735386",
                "241277250285489246241581928533925069698",
                "112864798336767260895615422020255373801",
                "326344252156913283305823248376635974319",
                "149501076714298581724217944116072240117",
                "20851967513280832025446682514306651511",
                "101660301215173511645125806388931558046",
                "161983258376373368998625288716073445864",
                "125013157627477663648794220335175813129",
                "114297756736507093046297363714182913184",
                "326342629182717535494243166437244508087",
                "129503348076797258550455082149053172774",
                "6063454819406071701935832397149074681",
                "25450544109902264946434894665349483615",
                "14209541420216802153449926603071335280",
                "28083104488430351869423149520385632380",
                "27329837804645812211356628610675816305"
            ]
        },
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "id": "CVE-2022-21656-ce5c4e8e",
        "source": "https://github.com/envoyproxy/envoy/commit/4aaf9593152c6996b9da384c8918e9ad4f0abd4d",
        "target": {
            "file": "test/config/utility.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "150676539833679190158940891882333303963",
                "27409818851555323095073296906901027733",
                "55324179392422643085196396072729602785"
            ]
        },
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2022-21656-dc8d3820",
        "source": "https://github.com/envoyproxy/envoy/commit/4aaf9593152c6996b9da384c8918e9ad4f0abd4d",
        "target": {
            "file": "source/common/conn_pool/conn_pool_base.cc",
            "function": "ConnPoolImplBase::closeIdleConnectionsForDrainingPool"
        },
        "digest": {
            "length": 528.0,
            "function_hash": "83990222759686494038875668905777786185"
        },
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "id": "CVE-2022-21656-f0c98cd4",
        "source": "https://github.com/envoyproxy/envoy/commit/4aaf9593152c6996b9da384c8918e9ad4f0abd4d",
        "target": {
            "file": "source/common/conn_pool/conn_pool_base.cc"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "211063805449318930197667500157467379330",
                "238149429280769817104751274898789662521",
                "155508904057016497276277837828561242331",
                "306263256694188145409853147140795887683",
                "24621026682503930056724633583760538450",
                "210759516705868193041331552012792706907",
                "268100365964683135363265243678321089408",
                "116993638250131326183953285211810091083",
                "57246520075670457973995740670893215413",
                "194433285147185661463287816608904302305",
                "245699478661219870215728951569204544048",
                "286440446911758131586479113237388457926",
                "33382072507043576477734303938545662581",
                "298229981597606534667320296045042459684",
                "173090808602105440099610064642968627733",
                "210942585548006467924962946211585504886",
                "193341038770066763728097793037333651465",
                "340006873902019806079016649741212930377",
                "286206063645562425499514746822691310145",
                "291017590637862723045538078816014658015"
            ]
        },
        "signature_version": "v1",
        "deprecated": false
    }
]