VulnerableCode Package Details - pkg:golang/istio.io/istio@1.5.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-17ev-b3gv-aaak Aliases: CVE-2020-12603	Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (i.e. 1 byte) data frames.	There are no reported fixed by versions.
VCID-1j4w-hqp4-aaah Aliases: CVE-2020-11080	In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.	There are no reported fixed by versions.
VCID-3sjw-grzy-aaah Aliases: CVE-2020-15104	In Envoy before versions 1.12.6, 1.13.4, 1.14.4, and 1.15.0 when validating TLS certificates, Envoy would incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of .example.com, Envoy would incorrectly allow nested.subdomain.example.com, when it should only allow subdomain.example.com. This defect applies to both validating a client TLS certificate in mTLS, and validating a server TLS certificate for upstream connections. This vulnerability is only applicable to situations where an untrusted entity can obtain a signed wildcard TLS certificate for a domain of which you only intend to trust a subdomain of. For example, if you intend to trust api.mysubdomain.example.com, and an untrusted actor can obtain a signed TLS certificate for .example.com or *.com. Configurations are vulnerable if they use verify_subject_alt_name in any Envoy version, or if they use match_subject_alt_names in version 1.14 or later. This issue has been fixed in Envoy versions 1.12.6, 1.13.4, 1.14.4, 1.15.0.	There are no reported fixed by versions.
VCID-5jkw-4a5e-aaak Aliases: CVE-2020-16844 GHSA-82mm-ffjr-h86c	In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.	1.5.9 Affected by 0 other vulnerabilities. 1.6.8 Affected by 0 other vulnerabilities.
VCID-jmzf-2r8j-aaaf Aliases: CVE-2020-8663	Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may exhaust file descriptors and/or memory when accepting too many connections.	There are no reported fixed by versions.
VCID-ncgy-zymr-aaap Aliases: CVE-2020-1764 GHSA-64rh-r86q-75ff	CVE-2020-1764 kiali: JWT cookie uses default signing key	There are no reported fixed by versions.
VCID-ndh8-q9rv-aaad Aliases: CVE-2020-12605	Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs.	There are no reported fixed by versions.
VCID-p7jq-wvxq-aaac Aliases: CVE-2020-12604	Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream.	There are no reported fixed by versions.
VCID-q75c-z771-aaan Aliases: CVE-2020-10739	CVE-2020-10739 istio/envoy: crafted packet allows remote attacker to cause denial of service	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-17ev-b3gv-aaak
Aliases:
CVE-2020-12603

Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (i.e. 1 byte) data frames.

There are no reported fixed by versions.

VCID-1j4w-hqp4-aaah
Aliases:
CVE-2020-11080

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

There are no reported fixed by versions.

VCID-3sjw-grzy-aaah
Aliases:
CVE-2020-15104

In Envoy before versions 1.12.6, 1.13.4, 1.14.4, and 1.15.0 when validating TLS certificates, Envoy would incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of *.example.com, Envoy would incorrectly allow nested.subdomain.example.com, when it should only allow subdomain.example.com. This defect applies to both validating a client TLS certificate in mTLS, and validating a server TLS certificate for upstream connections. This vulnerability is only applicable to situations where an untrusted entity can obtain a signed wildcard TLS certificate for a domain of which you only intend to trust a subdomain of. For example, if you intend to trust api.mysubdomain.example.com, and an untrusted actor can obtain a signed TLS certificate for *.example.com or *.com. Configurations are vulnerable if they use verify_subject_alt_name in any Envoy version, or if they use match_subject_alt_names in version 1.14 or later. This issue has been fixed in Envoy versions 1.12.6, 1.13.4, 1.14.4, 1.15.0.

There are no reported fixed by versions.

VCID-5jkw-4a5e-aaak
Aliases:
CVE-2020-16844
GHSA-82mm-ffjr-h86c

In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.

1.5.9
Affected by 0 other vulnerabilities.

1.6.8
Affected by 0 other vulnerabilities.

VCID-jmzf-2r8j-aaaf
Aliases:
CVE-2020-8663

Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may exhaust file descriptors and/or memory when accepting too many connections.

There are no reported fixed by versions.

VCID-ncgy-zymr-aaap
Aliases:
CVE-2020-1764
GHSA-64rh-r86q-75ff

CVE-2020-1764 kiali: JWT cookie uses default signing key

There are no reported fixed by versions.

VCID-ndh8-q9rv-aaad
Aliases:
CVE-2020-12605

Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs.

There are no reported fixed by versions.

VCID-p7jq-wvxq-aaac
Aliases:
CVE-2020-12604

Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream.

There are no reported fixed by versions.

VCID-q75c-z771-aaan
Aliases:
CVE-2020-10739

CVE-2020-10739 istio/envoy: crafted packet allows remote attacker to cause denial of service

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

purl	pkg:golang/istio.io/istio@1.5.0
Tags	Ghost

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	4.0