CVE-2021-32783: Externally Controlled Reference to a Resource in Another Sphere

July 23, 2021 (updated August 5, 2021)

Contour is a Kubernetes ingress controller using Envoy proxy. In Contour a specially crafted ExternalName type Service may be used to access Envoy’s admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy remotely (a denial of service), or to expose the existence of any Secret that Envoy is using for its configuration, including most notably TLS Keypairs.

References

nvd.nist.gov/vuln/detail/CVE-2021-32783

Code Behaviors & Features

Detect and mitigate CVE-2021-32783 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →