Search for packages
| purl | pkg:golang/istio.io/istio@0.2.1 |
| Tags | Ghost |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2cyz-8huy-aaae
Aliases: CVE-2022-31045 GHSA-xwx5-5c9g-x68x |
Istio is an open platform to connect, manage, and secure microservices. In affected versions ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing. Users are most likely at risk if they have an Istio ingress Gateway exposed to external traffic. This vulnerability has been resolved in versions 1.12.8, 1.13.5, and 1.14.1. Users are advised to upgrade. There are no known workarounds for this issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-2q3s-huh9-aaaq
Aliases: CVE-2022-39278 |
Denial of service attack due to Go Regex Library. | There are no reported fixed by versions. |
|
VCID-3sjw-grzy-aaah
Aliases: CVE-2020-15104 |
In Envoy before versions 1.12.6, 1.13.4, 1.14.4, and 1.15.0 when validating TLS certificates, Envoy would incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of *.example.com, Envoy would incorrectly allow nested.subdomain.example.com, when it should only allow subdomain.example.com. This defect applies to both validating a client TLS certificate in mTLS, and validating a server TLS certificate for upstream connections. This vulnerability is only applicable to situations where an untrusted entity can obtain a signed wildcard TLS certificate for a domain of which you only intend to trust a subdomain of. For example, if you intend to trust api.mysubdomain.example.com, and an untrusted actor can obtain a signed TLS certificate for *.example.com or *.com. Configurations are vulnerable if they use verify_subject_alt_name in any Envoy version, or if they use match_subject_alt_names in version 1.14 or later. This issue has been fixed in Envoy versions 1.12.6, 1.13.4, 1.14.4, 1.15.0. | There are no reported fixed by versions. |
|
VCID-52xg-rf8u-aaam
Aliases: CVE-2022-29227 |
CVE-2022-29227 envoy: Internal redirect crash for requests with body/trailers | There are no reported fixed by versions. |
|
VCID-8ev5-c8zj-aaar
Aliases: CVE-2021-43824 |
CVE-2021-43824 envoy: Null pointer dereference when using JWT filter safe_regex match | There are no reported fixed by versions. |
|
VCID-anga-kngu-aaac
Aliases: CVE-2022-23606 |
CVE-2022-23606 envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service | There are no reported fixed by versions. |
|
VCID-av3y-xjr9-aaac
Aliases: CVE-2022-29226 |
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request. Users are advised to upgrade. There is no known workaround for this issue. | There are no reported fixed by versions. |
|
VCID-cty8-9t9r-aaaf
Aliases: CVE-2022-21655 |
CVE-2022-21655 envoy: Incorrect handling of internal redirects to routes with a direct response entry | There are no reported fixed by versions. |
|
VCID-dd2s-45wa-aaaj
Aliases: CVE-2021-32780 |
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions Envoy transitions a H/2 connection to the CLOSED state when it receives a GOAWAY frame without any streams outstanding. The connection state is transitioned to DRAINING when it receives a SETTING frame with the SETTINGS_MAX_CONCURRENT_STREAMS parameter set to 0. Receiving these two frames in the same I/O event results in abnormal termination of the Envoy process due to invalid state transition from CLOSED to DRAINING. A sequence of H/2 frames delivered by an untrusted upstream server will result in Denial of Service in the presence of untrusted **upstream** servers. Envoy versions 1.19.1, 1.18.4 contain fixes to stop processing of pending H/2 frames after connection transition to the CLOSED state. | There are no reported fixed by versions. |
|
VCID-dp7a-3quf-aaac
Aliases: CVE-2021-28683 |
An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable NULL pointer dereference and crash in TLS when an unknown TLS alert code is received. | There are no reported fixed by versions. |
|
VCID-dr72-63u4-aaaj
Aliases: CVE-2021-32777 |
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HTTP spec. However, only the last header value is sent. This may allow specifically crafted requests to bypass authorization. Attackers may be able to escalate privileges when using ext-authz extension or back end service that uses multiple value headers for authorization. A specifically constructed request may be delivered by an untrusted downstream peer in the presence of ext-authz extension. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to the ext-authz extension to correctly merge multiple request header values, when sending request for authorization. | There are no reported fixed by versions. |
|
VCID-dss6-rcaa-aaag
Aliases: CVE-2022-21654 |
CVE-2022-21654 envoy: Incorrect configuration handling allows mTLS session re-use without re-validation | There are no reported fixed by versions. |
|
VCID-dx29-y4ke-aaag
Aliases: CVE-2021-43825 |
CVE-2021-43825 envoy: Use-after-free when response filters increase response data | There are no reported fixed by versions. |
|
VCID-fhr4-2cw2-aaaj
Aliases: CVE-2021-31921 |
Istio before 1.8.6 and 1.9.x before 1.9.5 contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration. | There are no reported fixed by versions. |
|
VCID-fw7c-6u9d-aaaa
Aliases: CVE-2022-29225 |
CVE-2022-29225 envoy: Decompressors can be zip bombed | There are no reported fixed by versions. |
|
VCID-hp9r-e7uw-aaan
Aliases: CVE-2022-29228 |
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions. continueDecoding() shouldn’t ever be called from filters after a local reply has been sent. Users are advised to upgrade. There are no known workarounds for this issue. | There are no reported fixed by versions. |
|
VCID-jztw-yc9e-aaaa
Aliases: CVE-2021-32778 |
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy’s procedure for resetting a HTTP/2 stream has O(N^2) complexity, leading to high CPU utilization when a large number of streams are reset. Deployments are susceptible to Denial of Service when Envoy is configured with high limit on H/2 concurrent streams. An attacker wishing to exploit this vulnerability would require a client opening and closing a large number of H/2 streams. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to reduce time complexity of resetting HTTP/2 streams. As a workaround users may limit the number of simultaneous HTTP/2 dreams for upstream and downstream peers to a low number, i.e. 100. | There are no reported fixed by versions. |
|
VCID-k6p6-jgh7-aaah
Aliases: CVE-2021-39156 GHSA-hqxw-mm44-gc4r |
Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass Istio’s URI path based authorization policies. Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize the path. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-n735-w925-aaaf
Aliases: CVE-2021-31920 GHSA-6q5m-22mq-q2xv |
Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-pbmp-naqq-aaam
Aliases: CVE-2021-29258 |
An issue was discovered in Envoy 1.14.0. There is a remotely exploitable crash for HTTP2 Metadata, because an empty METADATA map triggers a Reachable Assertion. | There are no reported fixed by versions. |
|
VCID-q8fq-1yrc-aaag
Aliases: CVE-2022-24921 |
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression. | There are no reported fixed by versions. |
|
VCID-qyex-hm2q-aaaa
Aliases: CVE-2021-28682 |
An issue was discovered in Envoy through 1.71.1. There is a remotely exploitable integer overflow in which a very large grpc-timeout value leads to unexpected timeout calculations. | There are no reported fixed by versions. |
|
VCID-smme-5z7a-aaan
Aliases: CVE-2022-24726 |
CVE-2022-24726 istio: Unauthenticated control plane denial of service attack due to stack exhaustion | There are no reported fixed by versions. |
|
VCID-t2dx-c3xy-aaaa
Aliases: CVE-2021-32781 |
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions after Envoy sends a locally generated response it must stop further processing of request or response data. However when local response is generated due the internal buffer overflow while request or response is processed by the filter chain the operation may not be stopped completely and result in accessing a freed memory block. A specifically constructed request delivered by an untrusted downstream or upstream peer in the presence of extensions that modify and increase the size of request or response bodies resulting in a Denial of Service when using extensions that modify and increase the size of request or response bodies, such as decompressor filter. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to address incomplete termination of request processing after locally generated response. As a workaround disable Envoy's decompressor, json-transcoder or grpc-web extensions or proprietary extensions that modify and increase the size of request or response bodies, if feasible. | There are no reported fixed by versions. |
|
VCID-u6b2-rfe9-aaaf
Aliases: CVE-2022-29224 |
CVE-2022-29224 envoy: Segfault in GrpcHealthCheckerImpl | There are no reported fixed by versions. |
|
VCID-w5ct-jkjq-aaak
Aliases: CVE-2021-39155 GHSA-7774-7vr3-cc8j |
Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname "httpbin.foo" for some source IPs, but the attacker can bypass this by sending the request with hostname "Httpbin.Foo". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-wxdq-fahw-aaag
Aliases: CVE-2022-23635 GHSA-856q-xv3c-7f2f |
CVE-2022-23635 istio: unauthenticated control plane denial of service attack |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-y77q-dr57-aaae
Aliases: CVE-2021-43826 |
CVE-2021-43826 envoy: Use-after-free when tunneling TCP over HTTP | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|