Envoy OAuth2 Filter Session Hijacking Vulnerability

A session hijacking vulnerability has been identified in the Envoy OAuth2 filter, present in versions prior to 1.32.10, 1.33.0 through 1.33.6, 1.34.0 through 1.34.4, and 1.35.0. The issue arises from insufficient session expiration, where the filter fails to properly delete session cookies named with '__Secure-' or '__Host-' prefixes. During logout, the filter does not append the required Secure attribute to the Set-Cookie header, leading modern browsers to ignore the deletion request. As a result, the session cookie remains active, allowing unauthorized access to a user's account on shared computers.

Impact

Exploitation of this vulnerability allows for session hijacking, where a user remains logged in after attempting to log out. This creates a risk of unauthorized access to the user's account and data, particularly on shared or public computers.

Reproduction

To reproduce this vulnerability, configure the Envoy OAuth2 filter with cookie names that include the '__Secure-' or '__Host-' prefixes. After logging in, attempt to log out. The session cookie will not be deleted, leaving the session active.

Remediation

Users can avoid the '__Secure-' or '__Host-' configurations and should update to Envoy versions 1.32.10, 1.33.7, 1.34.5, or 1.35.1.