GCP ESPv2 open source proxy for GCP fixes a Critical API Authorization Bypass
Take action: If you are using Google Cloud Platform services via GCP ESP-v2, patch immediately to v2.43.0 or higher
Learn More
A critical vulnerability (CVE-2023-30845) has been discovered in GCP ESP-v2, an open-source service proxy used for API management in Google Service Infrastructure.
The vulnerability allows malicious API clients to bypass JWT authentication by manipulating the X-HTTP-Method-Override header under specific circumstances:
- The X-HTTP-Method-Override header is utilized by clients to override the default HTTP method used in a request, typically when certain methods are restricted by firewalls or intermediaries.
- A client can send a PUT request instead of a POST request by including the X-HTTP-Method-Override header in the request. This header manipulation vulnerability arises in Google's ESP-v2, where it is exploited to bypass JWT authentication.
- This occurs in specific conditions:
- the requested HTTP method is not defined in the API service specification (OpenAPI spec or gRPC google.api.http proto annotations) and
- the specified X-HTTP-Method-Override is a valid HTTP method in the API service definition.
- EXAMPLE: If an API service only allows POST requests with valid JWT tokens, a malicious client can evade authentication by sending a PUT request with the X-HTTP-Method-Override header set to POST. An attack example demonstrates this bypass technique, where a PUT request with the X-HTTP-Method-Override header as POST successfully bypasses authentication, potentially leading to a security breach.
Given the significant market share of Google Cloud Platform (GCP) and the potential impact on businesses relying on GCP's services, it is crucial to address this vulnerability promptly by updating to ESP-v2 v2.43.0 or higher.
