漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Envoy vulnerable to bypass of RBAC uri_template permission
Vulnerability Description
Envoy is a cloud-native edge/middle/service proxy. Prior to versions 1.34.1, 1.33.3, 1.32.6, and 1.31.8, Envoy's URI template matcher incorrectly excludes the `*` character from a set of valid characters in the URI path. As a result URI path containing the `*` character will not match a URI template expressions. This can result in bypass of RBAC rules when configured using the `uri_template` permissions. This vulnerability is fixed in Envoy versions v1.34.1, v1.33.3, v1.32.6, v1.31.8. As a workaround, configure additional RBAC permissions using `url_path` with `safe_regex` expression.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
过度严格的正则表达式
Vulnerability Title
Envoy 安全漏洞
Vulnerability Description
Envoy是Enphase开源的一款用于连接智能家居设备的网关程序。 Envoy 1.34.1之前版本存在安全漏洞,该漏洞源于URI模板匹配器错误排除字符,可能导致RBAC规则绕过。
CVSS Information
N/A
Vulnerability Type
N/A