Envoy URI Template Matcher RBAC Bypass Vulnerability

A vulnerability exists in Envoy's URI template matcher prior to versions 1.34.1, 1.33.3, 1.32.6, and 1.31.8. The matcher incorrectly excludes the '*' character from valid URI path characters, leading to a mismatch with URI template expressions. This flaw can cause a bypass of Role-Based Access Control (RBAC) rules when the 'uri_template' permissions are used. The issue arises when a request from an untrusted peer includes a URI path with the '*' character, allowing the request to bypass specified RBAC restrictions.

Impact

Exploitation of this vulnerability can lead to unauthorized access by bypassing RBAC rules configured with 'uri_template' permissions.

Remediation

To address this vulnerability, users can update to Envoy versions 1.34.1, 1.33.3, 1.32.6, or 1.31.8. As an alternative, additional RBAC permissions can be configured using 'url_path' with 'safe_regex' expressions.