VulnerableCode Package Details - pkg:golang/istio.io/istio@1.4.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-1j4w-hqp4-aaah Aliases: CVE-2020-11080	In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.	There are no reported fixed by versions.
VCID-7bny-d56w-aaan Aliases: CVE-2020-8660	CVE-2020-8660 envoy: TLS inspector bypassc	There are no reported fixed by versions.
VCID-81d4-th14-aaak Aliases: CVE-2020-8659	CVE-2020-8659 envoy: Excessive CPU and/or memory usage when proxying HTTP/1.1	There are no reported fixed by versions.
VCID-aspk-ntyx-aaar Aliases: CVE-2020-8595	CVE-2020-8595 istio: unauthorised access to JWT protected HTTP path	There are no reported fixed by versions.
VCID-fc5d-duuv-aaaa Aliases: CVE-2020-8664	CVE-2020-8664 envoy: Incorrect Access Control when using SDS with Combined Validation Context	There are no reported fixed by versions.
VCID-ncgy-zymr-aaap Aliases: CVE-2020-1764 GHSA-64rh-r86q-75ff	CVE-2020-1764 kiali: JWT cookie uses default signing key	There are no reported fixed by versions.
VCID-q75c-z771-aaan Aliases: CVE-2020-10739	CVE-2020-10739 istio/envoy: crafted packet allows remote attacker to cause denial of service	There are no reported fixed by versions.
VCID-qzf4-cp5y-aaaq Aliases: CVE-2019-18802	CVE-2019-18802 envoy: malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure	There are no reported fixed by versions.
VCID-r389-jp77-aaac Aliases: CVE-2020-8661	CVE-2020-8661 envoy: Response flooding for HTTP/1.1	There are no reported fixed by versions.
VCID-w3w7-upq4-aaam Aliases: CVE-2019-18801	CVE-2019-18801 envoy: an untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-1j4w-hqp4-aaah
Aliases:
CVE-2020-11080

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.