x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: GHSA-2wmf-p7f8-w42h

[GoVulnBot]

In GitHub Security Advisory GHSA-2wmf-p7f8-w42h, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/envoyproxy/envoy	1.9.1	<= 1.9.0

Cross references:

• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43824 #330 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43825 #331 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43826 #332 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21654 #333 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21655 #334 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21656 #335 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21657 #336 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-23606 #337 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29224 #484 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29225 #485 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29226 #486 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29227 #487 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29228 #488 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27487 #1690 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27488 #1691 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27491 #1692 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27492 #1693 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27493 #1694 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27496 #1695 NOT_GO_CODE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/envoyproxy/envoy
      versions:
        - introduced: TODO (earliest fixed "1.9.1", vuln range "<= 1.9.0")
      vulnerable_at: 1.26.3
      packages:
        - package: github.com/envoyproxy/envoy
summary: EnvoyProxy Envoy Missing HTTP URL path normalization
description: |-
    Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may
    craft a relative path, e.g., `something/../admin`, to bypass access control,
    e.g., a block on `/admin`. A backend server could then interpret the
    non-normalized path and provide an attacker access beyond the scope provided for
    by the access control policy.
cves:
    - CVE-2019-9901
ghsas:
    - GHSA-2wmf-p7f8-w42h
references:
    - advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-xcx5-93pw-jw2w
    - web: https://nvd.nist.gov/vuln/detail/CVE-2019-9901
    - report: https://github.com/envoyproxy/envoy/issues/6435
    - web: https://groups.google.com/forum/#!topic/envoy-announce/VoHfnDqZiAM
    - web: https://www.envoyproxy.io/docs/envoy/v1.9.1/intro/version_history
    - fix: https://github.com/envoyproxy/envoy/pull/6519/commits/e668e669677e52a00d99652b5a260d1cedafdfa8
    - web: https://github.com/envoyproxy/envoy/blob/main/security/postmortems/cve-2019-9900.md
    - advisory: https://github.com/advisories/GHSA-2wmf-p7f8-w42h

[gopherbot]

Change https://go.dev/cl/513195 mentions this issue: data/excluded: batch add 26 excluded reports