CVE-2021-32783: Authorization bypass in Contour

Published Jul 23, 2021
·
Updated

Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy remotely (a denial of service), or to expose the existence of any Secret that Envoy is using for its configuration, including most notably TLS Keypairs. However, it *cannot* be used to get the *content* of those secrets. Since this attack allows access to the administration interface, a variety of administration options are available, such as shutting down the Envoy or draining traffic. In general, the Envoy admin interface cannot easily be used for making changes to the cluster, in-flight requests, or backend services, but it could be used to shut down or drain Envoy, change traffic routing, or to retrieve secret metadata, as mentioned above. The issue will be addressed in Contour v1.18.0 and a cherry-picked patch release, v1.17.1, has been released to cover users who cannot upgrade at this time. For more details refer to the linked GitHub Security Advisory.

Affected Software

1 affected component
projectcontour Contour Kubernetes<1.17.1

Remediation

Patch Available

https://github.com/projectcontour/contour/commit/b53a5c4fd927f4ea2c6cf02f1359d8e28bef852e

Event History

Jul 23, 2021
CVE Published
via MITRE·09:50 PM
Data Sourced
via MITRE·09:50 PM
DescriptionSeverityWeakness
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2021-32783?

CVE-2021-32783 is a vulnerability in Contour, a Kubernetes ingress controller, that allows unauthorized access to Envoy's admin interface.

2

How does CVE-2021-32783 affect Contour?

CVE-2021-32783 affects Contour version 1.17.1 and earlier, allowing a specially crafted ExternalName type Service to access Envoy's admin interface.

3

What is the severity of CVE-2021-32783?

The severity of CVE-2021-32783 is rated as high with a CVSS score of 8.5.

4

How can I fix CVE-2021-32783 in Contour?

To fix CVE-2021-32783, update Contour to version 1.17.1 or later.

5

Where can I find more information about CVE-2021-32783?

You can find more information about CVE-2021-32783 in the references provided: [GitHub Commit](https://github.com/projectcontour/contour/commit/b53a5c4fd927f4ea2c6cf02f1359d8e28bef852e), [GitHub Release](https://github.com/projectcontour/contour/releases/tag/v1.17.1), [GitHub Security Advisory](https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203
CVE-2021-32783 - Authorization bypass in Contour - SecAlerts