VulnerableCode Package Details - pkg:golang/istio.io/istio@1.13.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-2cyz-8huy-aaae Aliases: CVE-2022-31045 GHSA-xwx5-5c9g-x68x	Istio is an open platform to connect, manage, and secure microservices. In affected versions ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing. Users are most likely at risk if they have an Istio ingress Gateway exposed to external traffic. This vulnerability has been resolved in versions 1.12.8, 1.13.5, and 1.14.1. Users are advised to upgrade. There are no known workarounds for this issue.	1.13.5 Affected by 0 other vulnerabilities. 1.14.1 Affected by 0 other vulnerabilities.
VCID-2q3s-huh9-aaaq Aliases: CVE-2022-39278	Denial of service attack due to Go Regex Library.	There are no reported fixed by versions.
VCID-52xg-rf8u-aaam Aliases: CVE-2022-29227	CVE-2022-29227 envoy: Internal redirect crash for requests with body/trailers	There are no reported fixed by versions.
VCID-8ev5-c8zj-aaar Aliases: CVE-2021-43824	CVE-2021-43824 envoy: Null pointer dereference when using JWT filter safe_regex match	There are no reported fixed by versions.
VCID-anga-kngu-aaac Aliases: CVE-2022-23606	CVE-2022-23606 envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service	There are no reported fixed by versions.
VCID-av3y-xjr9-aaac Aliases: CVE-2022-29226	Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request. Users are advised to upgrade. There is no known workaround for this issue.	There are no reported fixed by versions.
VCID-cty8-9t9r-aaaf Aliases: CVE-2022-21655	CVE-2022-21655 envoy: Incorrect handling of internal redirects to routes with a direct response entry	There are no reported fixed by versions.
VCID-dss6-rcaa-aaag Aliases: CVE-2022-21654	CVE-2022-21654 envoy: Incorrect configuration handling allows mTLS session re-use without re-validation	There are no reported fixed by versions.
VCID-dx29-y4ke-aaag Aliases: CVE-2021-43825	CVE-2021-43825 envoy: Use-after-free when response filters increase response data	There are no reported fixed by versions.
VCID-fw7c-6u9d-aaaa Aliases: CVE-2022-29225	CVE-2022-29225 envoy: Decompressors can be zip bombed	There are no reported fixed by versions.
VCID-hp9r-e7uw-aaan Aliases: CVE-2022-29228	Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions. continueDecoding() shouldnâ€™t ever be called from filters after a local reply has been sent. Users are advised to upgrade. There are no known workarounds for this issue.	There are no reported fixed by versions.
VCID-q8fq-1yrc-aaag Aliases: CVE-2022-24921	regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.	There are no reported fixed by versions.
VCID-smme-5z7a-aaan Aliases: CVE-2022-24726	CVE-2022-24726 istio: Unauthenticated control plane denial of service attack due to stack exhaustion	There are no reported fixed by versions.
VCID-u6b2-rfe9-aaaf Aliases: CVE-2022-29224	CVE-2022-29224 envoy: Segfault in GrpcHealthCheckerImpl	There are no reported fixed by versions.
VCID-wxdq-fahw-aaag Aliases: CVE-2022-23635 GHSA-856q-xv3c-7f2f	CVE-2022-23635 istio: unauthenticated control plane denial of service attack	1.13.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-y77q-dr57-aaae Aliases: CVE-2021-43826	CVE-2021-43826 envoy: Use-after-free when tunneling TCP over HTTP	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-2cyz-8huy-aaae
Aliases:
CVE-2022-31045
GHSA-xwx5-5c9g-x68x

Istio is an open platform to connect, manage, and secure microservices. In affected versions ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing. Users are most likely at risk if they have an Istio ingress Gateway exposed to external traffic. This vulnerability has been resolved in versions 1.12.8, 1.13.5, and 1.14.1. Users are advised to upgrade. There are no known workarounds for this issue.

1.13.5
Affected by 0 other vulnerabilities.

1.14.1
Affected by 0 other vulnerabilities.

VCID-2q3s-huh9-aaaq
Aliases:
CVE-2022-39278

Denial of service attack due to Go Regex Library.