VulnerableCode Package Details - pkg:golang/istio.io/istio@1.12.7

Search for packages

Vulnerability	Summary	Fixed by
VCID-2cyz-8huy-aaae Aliases: CVE-2022-31045 GHSA-xwx5-5c9g-x68x	Istio is an open platform to connect, manage, and secure microservices. In affected versions ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing. Users are most likely at risk if they have an Istio ingress Gateway exposed to external traffic. This vulnerability has been resolved in versions 1.12.8, 1.13.5, and 1.14.1. Users are advised to upgrade. There are no known workarounds for this issue.	1.12.18 Affected by 0 other vulnerabilities. 1.13.5 Affected by 0 other vulnerabilities. 1.14.1 Affected by 0 other vulnerabilities.
VCID-52xg-rf8u-aaam Aliases: CVE-2022-29227	CVE-2022-29227 envoy: Internal redirect crash for requests with body/trailers	There are no reported fixed by versions.
VCID-av3y-xjr9-aaac Aliases: CVE-2022-29226	Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request. Users are advised to upgrade. There is no known workaround for this issue.	There are no reported fixed by versions.
VCID-fw7c-6u9d-aaaa Aliases: CVE-2022-29225	CVE-2022-29225 envoy: Decompressors can be zip bombed	There are no reported fixed by versions.
VCID-hp9r-e7uw-aaan Aliases: CVE-2022-29228	Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions. continueDecoding() shouldnâ€™t ever be called from filters after a local reply has been sent. Users are advised to upgrade. There are no known workarounds for this issue.	There are no reported fixed by versions.
VCID-u6b2-rfe9-aaaf Aliases: CVE-2022-29224	CVE-2022-29224 envoy: Segfault in GrpcHealthCheckerImpl	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-2cyz-8huy-aaae
Aliases:
CVE-2022-31045
GHSA-xwx5-5c9g-x68x

Istio is an open platform to connect, manage, and secure microservices. In affected versions ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing. Users are most likely at risk if they have an Istio ingress Gateway exposed to external traffic. This vulnerability has been resolved in versions 1.12.8, 1.13.5, and 1.14.1. Users are advised to upgrade. There are no known workarounds for this issue.

1.12.18
Affected by 0 other vulnerabilities.

1.13.5
Affected by 0 other vulnerabilities.

1.14.1
Affected by 0 other vulnerabilities.

VCID-52xg-rf8u-aaam
Aliases:
CVE-2022-29227

CVE-2022-29227 envoy: Internal redirect crash for requests with body/trailers