Skip to content

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21656 #335

New issue
New issue
Closed
Closed
x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21656#335
Assignees
julieqiu
Labels
excluded: NOT_GO_CODEThis vulnerability does not refer to a Go module.
@GoVulnBot

Description

@GoVulnBot
GoVulnBot
opened on Feb 22, 2022

In CVE-2022-21656, the reference URL github.com/envoyproxy/envoy (and possibly others) refers to something in Go.

module: github.com/envoyproxy/envoy
package: envoy
description: |
    Envoy is an open source edge and service proxy, designed for cloud-native applications. The default_validator.cc implementation used to implement the default certificate validation routines has a "type confusion" bug when processing subjectAltNames. This processing allows, for example, an rfc822Name or uniformResourceIndicator to be authenticated as a domain name. This confusion allows for the bypassing of nameConstraints, as processed by the underlying OpenSSL/BoringSSL implementation, exposing the possibility of impersonation of arbitrary servers. As a result Envoy will trust upstream certificates that should not be trusted.
cves:
  - CVE-2022-21656
links:
    commit: https://github.com/envoyproxy/envoy/commit/bb95af848c939cfe5b5ee33c5b1770558077e64e
    context:
      - https://github.com/envoyproxy/envoy/security/advisories/GHSA-c9g7-xwcv-pjx2

See doc/triage.md for instructions on how to triage this report.

Metadata

Metadata

Assignees

Labels

excluded: NOT_GO_CODEThis vulnerability does not refer to a Go module.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions