QID 981425

QID 981425: Go (go) Security Update for github.com/projectcontour/contour (GHSA-5ph6-qq5x-7jwc)

Security update has been released for github.com/projectcontour/contour to fix the vulnerability.

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

Josh Ferrell (@josh-ferrell) from VMware has reported that a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy remotely (a denial of service), or to expose the existence of any Secret that Envoy is using for its configuration, including most notably TLS Keypairs. However, it *cannot* be used to get the *content* of those secrets.

Since this attack allows access to the administration interface, a variety of administration options are available, such as shutting down the Envoy or draining traffic. In general, the Envoy admin interface cannot easily be used for making changes to the cluster, in-flight requests, or backend services, but it could be used to shut down or drain Envoy, change traffic routing, or to retrieve secret metadata, as mentioned above.

  • CVSS V3 rated as Critical - 8.5 severity.
  • CVSS V2 rated as Medium - 5.5 severity.
    • Solution
    The issue will be addressed in the forthcoming Contour v1.18.0 and a patch release, v1.17.1, has been released in the meantime.

    It is addressed in two ways:
    - disabling ExternalName type Services by default
    - When ExternalName Services are enabled, block obvious "localhost" entries.Workaround:
    Not easily. It's not possible to control the creation of ExternalName Services with RBAC without the use of Gatekeeper or other form of admission control, and the creation of services is required for Contour to actually work for application developer personas.
    Vendor References

    CVEs related to QID 981425

    CVE-2021-32783 |
    Software Advisories
    Advisory ID Software Component Link
    GHSA-5ph6-qq5x-7jwc github.com/projectcontour/contour URL Logo github.com/advisories/GHSA-5ph6-qq5x-7jwc
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].
    © CVE.report 2026 |

    Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

    CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

    Free CVE JSON API cve.report/api

    CVE.report and Source URL Uptime Status status.cve.report