CVE-2022-29226

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-29226
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-29226.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-29226
Aliases
Related
Published
2022-06-09T20:15:08Z
Modified
2024-10-11T09:07:23Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request. Users are advised to upgrade. There is no known workaround for this issue.

References

Affected packages

Git / github.com/envoyproxy/envoy

Affected ranges

Type
GIT
Repo
https://github.com/envoyproxy/envoy
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed