Contour has Lua code injection via Cookie Path Rewrite Policy

Impact Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in the following fields that results in arbitrary code execution in the Envoy proxy: -...

CVE-2026-41246

Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in...

GHSA-P77J-4MVH-X3M3 vulnerabilities

Vulnerabilities for packages: melange, modelmesh-runtime-adapter, terraform-provider-acme, flux, secrets-store-csi-driver, redpanda, container-object-storage-interface, crossplane-provider-aws-dynamodb, percona-server-mongodb-operator, calico, headlamp, tfsec, node-problem-detector, coredns,...

Contour 安全漏洞

Contour is a Project Contour open source Kubernetes entry controller using the Envoy proxy. A security vulnerability exists in Contour 1.28.3 and earlier versions, which stems from the presence of an insecure privilege vulnerability that allows an attacker to access sensitive data and elevate...

CVE-2024-36539

Insecure permissions in contour v1.28.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token...