Search for packages
| purl | pkg:golang/istio.io/istio@1.2.0 |
| Tags | Ghost |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3gua-vux5-aaaq
Aliases: CVE-2019-9512 GHSA-hgr8-6h9x-f7q9 |
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. | There are no reported fixed by versions. |
|
VCID-53ez-ykh2-aaag
Aliases: CVE-2019-15226 |
CVE-2019-15226 envoy: crafted request allows remote attacker to cause denial of service | There are no reported fixed by versions. |
|
VCID-6ypc-78mx-aaac
Aliases: CVE-2019-9514 GHSA-39qc-96h7-956f |
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. | There are no reported fixed by versions. |
|
VCID-8vay-89ye-aaae
Aliases: CVE-2019-12995 |
Istio before 1.2.2 mishandles certain access tokens, leading to "Epoch 0 terminated with an error" in Envoy. This is related to a jwt_authenticator.cc segmentation fault. | There are no reported fixed by versions. |
|
VCID-kfap-b6t7-aaam
Aliases: CVE-2019-9515 |
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. | There are no reported fixed by versions. |
|
VCID-qzf4-cp5y-aaaq
Aliases: CVE-2019-18802 |
CVE-2019-18802 envoy: malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure | There are no reported fixed by versions. |
|
VCID-t2e5-ct53-aaan
Aliases: CVE-2019-14993 GHSA-qcvw-82hh-gq38 |
CVE-2019-14993 istio/envoy: mishandling regular expressions for long URIs leading to DoS |
Affected by 0 other vulnerabilities. |
|
VCID-t7tm-t2rh-aaah
Aliases: CVE-2019-9513 |
Excessive CPU usage in HTTP/2 with priority changes | There are no reported fixed by versions. |
|
VCID-tbrp-5sm7-aaak
Aliases: CVE-2019-9518 |
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU. | There are no reported fixed by versions. |
|
VCID-w3w7-upq4-aaam
Aliases: CVE-2019-18801 |
CVE-2019-18801 envoy: an untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1 | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|