VulnerableCode Package Details - pkg:alpm/archlinux/istio@1.10.0-1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-dp7a-3quf-aaac	An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable NULL pointer dereference and crash in TLS when an unknown TLS alert code is received.	CVE-2021-28683
VCID-fhr4-2cw2-aaaj	Istio before 1.8.6 and 1.9.x before 1.9.5 contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration.	CVE-2021-31921
VCID-n735-w925-aaaf	Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used.	CVE-2021-31920 GHSA-6q5m-22mq-q2xv
VCID-pbmp-naqq-aaam	An issue was discovered in Envoy 1.14.0. There is a remotely exploitable crash for HTTP2 Metadata, because an empty METADATA map triggers a Reachable Assertion.	CVE-2021-29258
VCID-qyex-hm2q-aaaa	An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable integer overflow in which a very large grpc-timeout value leads to unexpected timeout calculations.	CVE-2021-28682
VCID-u5y5-tcfd-aaan	Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control, e.g. a block on `/admin`. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy. ### Impact Escalation of Privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret `%2F` and `/` and `%5C` and `\` interchangeably are impacted. ### Attack Vector URL paths containing escaped slash characters delivered by untrusted client. Patches in versions 1.18.3, 1.17.3, 1.16.4, 1.15.5 contain new path normalization option to decode escaped slash characters. As a workaround, if back end servers treat `%2F` and `/` and `%5C` and `\` interchangeably and a URL path based access control is configured, one may reconfigure the back end server to not treat `%2F` and `/` and `%5C` and `\` interchangeably.	CVE-2021-29492

Vulnerability

Summary

Aliases

VCID-dp7a-3quf-aaac

An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable NULL pointer dereference and crash in TLS when an unknown TLS alert code is received.

CVE-2021-28683

VCID-fhr4-2cw2-aaaj

Istio before 1.8.6 and 1.9.x before 1.9.5 contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration.

CVE-2021-31921

VCID-n735-w925-aaaf

Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used.

CVE-2021-31920
GHSA-6q5m-22mq-q2xv

VCID-pbmp-naqq-aaam

An issue was discovered in Envoy 1.14.0. There is a remotely exploitable crash for HTTP2 Metadata, because an empty METADATA map triggers a Reachable Assertion.

CVE-2021-29258

VCID-qyex-hm2q-aaaa

An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable integer overflow in which a very large grpc-timeout value leads to unexpected timeout calculations.

CVE-2021-28682

VCID-u5y5-tcfd-aaan

Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control, e.g. a block on `/admin`. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy. ### Impact Escalation of Privileges when using RBAC or JWT filters with enforcement based on URL path. Users with back end servers that interpret `%2F` and `/` and `%5C` and `\` interchangeably are impacted. ### Attack Vector URL paths containing escaped slash characters delivered by untrusted client. Patches in versions 1.18.3, 1.17.3, 1.16.4, 1.15.5 contain new path normalization option to decode escaped slash characters. As a workaround, if back end servers treat `%2F` and `/` and `%5C` and `\` interchangeably and a URL path based access control is configured, one may reconfigure the back end server to not treat `%2F` and `/` and `%5C` and `\` interchangeably.

CVE-2021-29492

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T07:44:07.126903+00:00	Arch Linux Importer	Fixing	VCID-qyex-hm2q-aaaa	https://security.archlinux.org/AVG-1947	36.0.0
2025-03-28T07:44:07.098900+00:00	Arch Linux Importer	Fixing	VCID-dp7a-3quf-aaac	https://security.archlinux.org/AVG-1947	36.0.0
2025-03-28T07:44:07.069438+00:00	Arch Linux Importer	Fixing	VCID-pbmp-naqq-aaam	https://security.archlinux.org/AVG-1947	36.0.0
2025-03-28T07:44:07.042083+00:00	Arch Linux Importer	Fixing	VCID-u5y5-tcfd-aaan	https://security.archlinux.org/AVG-1947	36.0.0
2025-03-28T07:44:07.010195+00:00	Arch Linux Importer	Fixing	VCID-n735-w925-aaaf	https://security.archlinux.org/AVG-1947	36.0.0
2025-03-28T07:44:06.991504+00:00	Arch Linux Importer	Fixing	VCID-fhr4-2cw2-aaaj	https://security.archlinux.org/AVG-1947	36.0.0
2024-09-18T01:59:14.649750+00:00	Arch Linux Importer	Fixing	VCID-qyex-hm2q-aaaa	https://security.archlinux.org/AVG-1947	34.0.1
2024-09-18T01:59:14.628692+00:00	Arch Linux Importer	Fixing	VCID-dp7a-3quf-aaac	https://security.archlinux.org/AVG-1947	34.0.1
2024-09-18T01:59:14.602468+00:00	Arch Linux Importer	Fixing	VCID-pbmp-naqq-aaam	https://security.archlinux.org/AVG-1947	34.0.1
2024-09-18T01:59:14.575990+00:00	Arch Linux Importer	Fixing	VCID-u5y5-tcfd-aaan	https://security.archlinux.org/AVG-1947	34.0.1
2024-09-18T01:59:14.548922+00:00	Arch Linux Importer	Fixing	VCID-n735-w925-aaaf	https://security.archlinux.org/AVG-1947	34.0.1
2024-09-18T01:59:14.524283+00:00	Arch Linux Importer	Fixing	VCID-fhr4-2cw2-aaaj	https://security.archlinux.org/AVG-1947	34.0.1
2024-01-03T22:25:32.289680+00:00	Arch Linux Importer	Fixing	VCID-qyex-hm2q-aaaa	https://security.archlinux.org/AVG-1947	34.0.0rc1
2024-01-03T22:25:32.266063+00:00	Arch Linux Importer	Fixing	VCID-dp7a-3quf-aaac	https://security.archlinux.org/AVG-1947	34.0.0rc1
2024-01-03T22:25:32.242064+00:00	Arch Linux Importer	Fixing	VCID-pbmp-naqq-aaam	https://security.archlinux.org/AVG-1947	34.0.0rc1
2024-01-03T22:25:32.220722+00:00	Arch Linux Importer	Fixing	VCID-u5y5-tcfd-aaan	https://security.archlinux.org/AVG-1947	34.0.0rc1
2024-01-03T22:25:32.196664+00:00	Arch Linux Importer	Fixing	VCID-n735-w925-aaaf	https://security.archlinux.org/AVG-1947	34.0.0rc1
2024-01-03T22:25:32.172804+00:00	Arch Linux Importer	Fixing	VCID-fhr4-2cw2-aaaj	https://security.archlinux.org/AVG-1947	34.0.0rc1

2025-03-28T07:44:07.126903+00:00

Arch Linux Importer

Fixing