CVE-2023-30845: 
ESPv2 vulnerability analysis and mitigation

ESPv2 (versions 2.20.0 through 2.42.0) contains an authentication bypass vulnerability identified as CVE-2023-30845. The vulnerability allows API clients to bypass JWT authentication by crafting malicious X-HTTP-Method-Override header values. The issue was discovered and disclosed to the ESPv2 team on March 14, 2023, and was fixed on March 28, 2023 (GitHub Advisory).

The vulnerability occurs when two specific conditions are met: 1) The requested HTTP method is not in the API service definition (OpenAPI spec or gRPC google.api.http proto annotations), and 2) The specified X-HTTP-Method-Override is a valid HTTP method in the API service definition. Under these conditions, ESPv2 forwards the request to the backend without verifying the JWT. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL by NVD and 8.2 HIGH by GitHub, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers to bypass JWT authentication requirements by crafting requests with a malicious X-HTTP-Method-Override value. This enables unauthorized access to protected endpoints that normally require valid JWT tokens. However, it's important to note that API key restrictions remain unaffected and continue to work as intended (GitHub Advisory).

The recommended mitigation is to upgrade deployments to release v2.43.0 or higher. This patched version ensures that JWT authentication occurs even when the caller specifies x-http-method-override. The functionality of x-http-method-override remains supported in v2.43.0+, allowing API clients to continue using this header with ESPv2 securely (GitHub Advisory).