CVE-2021-36371

{"id": "CVE-2021-36371", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.2}]}, "published": "2021-07-09T21:15:08.583", "references": [{"url": "https://github.com/emissary-ingress/emissary/issues/3340", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/emissary-ingress/emissary/releases/tag/v2.0.0-ea", "tags": ["Release Notes", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "Emissary-Ingress (formerly Ambassador API Gateway) through 1.13.9 allows attackers to bypass client certificate requirements (i.e., mTLS cert_required) on backend upstreams when more than one TLSContext is defined and at least one configuration exists that does not require client certificate authentication. The attacker must send an SNI specifying an unprotected backend and an HTTP Host header specifying a protected backend. (2.x versions are unaffected. 1.x versions are unaffected with certain configuration settings involving prune_unreachable_routes and a wildcard Host resource.)"}, {"lang": "es", "value": "Emissary-Ingress (antes Ambassador API Gateway) hasta la versi\u00f3n 1.13.9 permite a los atacantes eludir los requisitos de certificado del cliente (es decir, mTLS cert_required) en los flujos ascendentes del backend cuando se define m\u00e1s de un TLSContext y existe al menos una configuraci\u00f3n que no requiere autenticaci\u00f3n de certificado del cliente. El atacante debe enviar un SNI especificando un backend no protegido y una cabecera HTTP Host especificando un backend protegido. (Las versiones 2.x no se ven afectadas. Las versiones 1.x no se ven afectadas con ciertos ajustes de configuraci\u00f3n que implican prune_unreachable_routes y un recurso Host comod\u00edn)"}], "lastModified": "2021-07-14T14:57:33.607", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:getambassador:emissary-ingress:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B2281C9-BA17-4B88-A762-3CA71940E3A5", "versionEndIncluding": "1.13.9"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}