CVE-2026-33726 Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.14, 1.18.8, and 1.19.2, Ingress Network Policies are not enforced for traffic from pods to L7 Services Envoy, GAMMA with a local backend on the same node, when Per-Endpoint Routing is...

EUVD-2021-19543

Malware in sbrugna...

EUVD-2021-19542

Malware in sbrugna...

BIT-ENVOY-2021-32777 Incorrect concatenation of multiple value request headers in ext-authz extension

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HTTP spec. However,...

BIT-ENVOY-2021-32780 Incorrect handling of H/2 GOAWAY followed by SETTINGS frames

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions Envoy transitions a H/2 connection to the CLOSED state when it receives a GOAWAY frame without any streams outstanding. The connection state is transitioned to...

BIT-ENVOY-2021-32781 Continued processing of requests after locally generated response

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions after Envoy sends a locally generated response it must stop further processing of request or response data. However when local response is generated due the intern...

Denial Of Service (DoS)

github.com/cilium/cilium is vulnerable to Denial of Service DoS. The vulnerability is due to a lack of checks to confirm if the L7 proxy is enabled or disabled before processing the proxyVisibility annotations. When the L7 proxy is disabled, any workload with these annotations can crash the Ciliu...

Design/Logic Flaw

Pomerium is an identity-aware access proxy. In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. This...

CVE-2022-24797 Exposure of Sensitive Information in Pomerium

Pomerium is an identity-aware access proxy. In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. This...

CVE-2022-24797 Exposure of Sensitive Information in Pomerium

Pomerium is an identity-aware access proxy. In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. This...

Code injection

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions Envoy transitions a H/2 connection to the CLOSED state when it receives a GOAWAY frame without any streams outstanding. The connection state is transitioned to...

Authorization

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HTTP spec. However,...

Design/Logic Flaw

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy’s procedure for resetting a HTTP/2 stream has ON^2 complexity, leading to high CPU utilization when a large number of streams are reset. Deployments are...

CVE-2021-32780

CVE-2021-32780 affects Envoy. A sequence of HTTP/2 GOAWAY followed by SETTINGS (SETTINGS_MAX_CONCURRENT_STREAMS=0) frames can trigger an invalid state transition from CLOSED to DRAINING, causing abnormal termination and DoS in the presence of untrusted upstream servers. Affected Envoy versions in...

CVE-2021-32781 Continued processing of requests after locally generated response

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions after Envoy sends a locally generated response it must stop further processing of request or response data. However when local response is generated due the intern...

CVE-2021-32781

CVE-2021-32781 affects Envoy, a open-source L7 proxy. The vulnerability arises during processing after a locally generated response, where an internal buffer overflow can prevent stopping request/response processing, potentially allowing access to freed memory. Affected Envoy versions include 1.1...

CVE-2021-32778

CVE-2021-32778 affects Envoy, where the HTTP/2 stream reset procedure has O(N^2) time complexity, causing high CPU and potential DoS when many streams are opened and closed. Connected advisories indicate fixes in Envoy versions 1.16.5, 1.17.4, 1.18.4, and 1.19.1, addressing the inefficiency. Othe...