CVE-2020-11767: 
NixOS vulnerability analysis and mitigation

Istio through 1.5.1 and Envoy through 1.14.1 contain a data-leak vulnerability. The issue occurs when there is a TCP connection (negotiated with SNI over HTTPS) to *.example.com, and a request for a domain concurrently configured explicitly (e.g., abc.example.com) is sent to the server(s) listening behind *.example.com. Instead of returning a 421 Misdirected Request response, the request is processed incorrectly (NVD).

The vulnerability stems from improper handling of HTTP/2 connection reuse as specified in RFC 7540 Sections 9.1.1 and 9.1.2. When a shared caching forward proxy reuses an HTTP/2 connection for a large subnet with many users, if a victim is interacting with abc.example.com and a server recycles the TCP connection to the forward proxy, the victim's browser may inadvertently send sensitive data to a *.example.com server. This occurs because while the forward proxy's connection reuse follows the specification, neither Istio nor Envoy implements the required 421 error response (Chromium Issue, Envoy Issue). The vulnerability has been assigned a CVSS v3.1 Base Score of 3.1 LOW (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) (NVD).

The vulnerability compromises the security model browsers have implemented between domains. It can lead to sensitive data being inadvertently sent to unintended servers when connection reuse occurs, potentially exposing confidential information to unauthorized domains (NVD).

The vulnerability has been fixed in versions after Istio 1.5.1 and Envoy 1.14.1. Organizations should upgrade to patched versions to prevent potential data leaks. No specific workarounds have been documented for those unable to upgrade immediately (NVD).