{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-10T10:22:01.099","vulnerabilities":[{"cve":{"id":"CVE-2022-21657","sourceIdentifier":"security-advisories@github.com","published":"2022-02-22T23:15:11.277","lastModified":"2024-11-21T06:45:10.227","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS server, to only those certificates that contain the necessary extendedKeyUsage (id-kp-serverAuth and id-kp-clientAuth, respectively). This means that a peer may present an e-mail certificate (e.g. id-kp-emailProtection), either as a leaf certificate or as a CA in the chain, and it will be accepted for TLS. This is particularly bad when combined with the issue described in pull request #630, in that it allows a Web PKI CA that is intended only for use with S/MIME, and thus exempted from audit or supervision, to issue TLS certificates that will be accepted by Envoy. As a result Envoy will trust upstream certificates that should not be trusted. There are no known workarounds to this issue. Users are advised to upgrade."},{"lang":"es","value":"Envoy es un proxy de borde y servicio de código abierto, diseñado para aplicaciones nativas de la nube. En las versiones afectadas, Envoy no restringe el conjunto de certificados que acepta del par, ya sea como cliente TLS o como servidor TLS, a sólo aquellos certificados que contienen el extendedKeyUsage necesario (id-kp-serverAuth e id-kp-clientAuth, respectivamente). Esto significa que un par puede presentar un certificado de correo electrónico (por ejemplo, id-kp-emailProtection), ya sea como certificado de hoja o como CA en la cadena, y será aceptado para TLS. Esto es particularmente malo cuando es combinado con el problema descrito en la petición #630, en el sentido de que permite que una CA de PKI de la Web que está destinada sólo a ser usada con S/MIME, y por lo tanto exenta de auditoría o supervisión, emita certificados TLS que serán aceptados por Envoy. En consecuencia, Envoy confiará en certificados de origen que no deberían ser confiables. No se conocen medidas de mitigación a este problema. Es recomendado a usuarios actualizar"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":6.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":5.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:N/I:P/A:N","baseScore":4.0,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-295"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*","versionEndExcluding":"1.18.6","matchCriteriaId":"0EFC93D0-C206-417C-81D0-F18145E3D768"},{"vulnerable":true,"criteria":"cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*","versionStartIncluding":"1.19.0","versionEndExcluding":"1.19.3","matchCriteriaId":"2812AC62-44B5-4077-862D-A221CD88981D"},{"vulnerable":true,"criteria":"cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*","versionStartIncluding":"1.20.0","versionEndExcluding":"1.20.2","matchCriteriaId":"F5441B2D-F807-4ED9-AFB9-ED4DE07CE5F8"}]}]}],"references":[{"url":"https://github.com/envoyproxy/envoy/pull/630","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/envoyproxy/envoy/security/advisories/GHSA-837m-wjrv-vm5g","source":"security-advisories@github.com","tags":["Issue Tracking","Third Party Advisory"]},{"url":"https://github.com/envoyproxy/envoy/pull/630","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/envoyproxy/envoy/security/advisories/GHSA-837m-wjrv-vm5g","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Third Party Advisory"]}]}}]}