Path traversal in envoy - CVE-2019-9901

 

Path traversal in envoy - CVE-2019-9901

Published: November 8, 2019 / Updated: June 24, 2026


Vulnerability identifier: #VU135103
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2019-9901
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Cloud Native Computing Foundation
Affected software:
envoy

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass access control.

The vulnerability exists due to path traversal in RBAC, HTTP router, external authorization, and rate limiting components when handling relative path URLs delivered by an untrusted client. A remote attacker can send a specially crafted request path containing relative path segments to bypass access control.

The issue can also affect routing and authorization decisions when a backend normalizes the path differently than Envoy.


How to mitigate CVE-2019-9901

Install security update from vendor's website.

Sources