VDB
KO
HIGH 7.4

GHSA-22xc-xg2r-9j7v

Envoy Gateway: xDS Control Plane Information Disclosure when operating in GatewayNamespaceMode

Details

### Impact When Envoy Gateway runs in GatewayNamespaceMode (`provider.kubernetes.deploy.type=GatewayNamespace`), the xDS gRPC server is configured with a `StreamInterceptor` for JWT authentication but no UnaryInterceptor. The go-control-plane xDS server exposes both streaming and unary (Fetch) RPC methods for all registered discovery services. Since there is no unary interceptor, these Fetch endpoints are completely unauthenticated.

Additionally, the JWT authentication interceptor in GatewayNamespaceMode only validates tokens when the received gRPC message is of type `discoveryv3.DeltaDiscoveryRequest` . If the message is a `discoveryv3.DiscoveryRequest` — used by the State-of-the-World (SotW) xDS protocol — the type assertion fails, the validation block is skipped entirely, and RecvMsg returns nil (success) without any authentication.

Any pod in the cluster that can reach the xDS server (port 18000) can use the SotW protocol to bypass JWT authentication and access:

* TLS private keys via StreamSecrets (SDS) * All xDS resources via StreamAggregatedResources (ADS) * Backend endpoints via StreamClusters / StreamEndpoints (CDS/EDS) * Routing rules via StreamRoutes / StreamListeners (RDS/LDS)

### Credits

Envoy Gateway thanks @dashingDragon and @Donjon-Cerberus for reporting this issue.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/envoyproxy/gateway
Introduced in: 1.8.0-rc.0 Fixed in: 1.8.1
Fix go get github.com/envoyproxy/gateway@v1.8.1
Go / github.com/envoyproxy/gateway
Introduced in: 0 Fixed in: 1.7.4
Fix go get github.com/envoyproxy/gateway@v1.7.4

References