CVE-2020-8664: 
NixOS vulnerability analysis and mitigation

CNCF Envoy through version 1.13.0 contained an incorrect Access Control vulnerability when using SDS (Secret Discovery Service) with Combined Validation Context. The vulnerability was discovered by multiple researchers including Andon Andonov (Microsoft), Ryan Michela (Salesforce), Scott Beardsley (Pinterest), and Jasper Misset (Visma Connect). The issue was disclosed on March 3, 2020 and assigned CVE-2020-8664 (GitHub Advisory, NVD).

When using SDS TLS validation context, the update callback was only triggered when a secret was first received or when its value changed. If the same secret (e.g., trusted CA) was used across multiple resources, resources configured after the initial secret reception remained unconfigured until the secret's value changed. Due to incorrect code implementation, the available secret was processed as inlined validation context, causing only rules from the dynamic ("secret") part of the validation context to be applied, while completely bypassing rules from the static ("default") part (GitHub Advisory).

The vulnerability could lead to escalation of privileges and unauthorized access to services. When exploited, it could result in service spoofing and the bypass of security validation rules, as the static part of the validation context was not being properly applied (GitHub Advisory).

The vulnerability was patched in Envoy versions 1.13.1 and 1.12.3. Users are advised to upgrade to these or later versions to address the security issue (GitHub Advisory).