Envoy Injection Vulnerability in Query Parameter Handler

A critical injection vulnerability has been identified in Envoy versions prior to 1.33.0, specifically within the Query Parameter Handler component. The issue arises in the 'params.add' function of 'source/extensions/filters/http/header_mutation/header_mutation.cc'. This vulnerability allows remote exploitation by injecting arbitrary query parameters through unencoded header values. For instance, a header value containing '&' or '=' can be manipulated to create multiple query parameters. Other Envoy filters, such as OAuth2 and gRPC transcoder, properly encode query parameters, highlighting a flaw in the header mutation filter.

Impact

Exploitation of this vulnerability leads to injection, allowing attackers to manipulate query parameters in HTTP requests.

Reproduction

To reproduce this vulnerability, send an HTTP request to an Envoy server running a vulnerable version with a header that includes unencoded query parameter characters, such as '&' or '='. The header mutation filter will inject these as separate query parameters, demonstrating the injection flaw.

Remediation

Update Envoy to version 1.33.0 or later, where this vulnerability has been fixed. The patch is available on the Envoy GitHub repository.