46 matches found
GHSA-2WMF-P7F8-W42H EnvoyProxy Envoy Missing HTTP URL path normalization
Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., something/../admin, to bypass access control, e.g., a block on /admin. A backend server could then interpret the non-normalized path and provide an attacker access beyond the scope provide...
EnvoyProxy Envoy Missing HTTP URL path normalization
Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., something/../admin, to bypass access control, e.g., a block on /admin. A backend server could then interpret the non-normalized path and provide an attacker access beyond the scope provide...
Fedora: Security Advisory for golang-github-envoyproxy-protoc-gen-validate (FEDORA-2022-08ae2dd481)
The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
[SECURITY] Fedora 36 Update: golang-github-envoyproxy-protoc-gen-validate-0.4.1-5.fc36
Protoc plugin to generate polyglot message validators...
Fedora: Security Advisory for golang-github-envoyproxy-protoc-gen-validate (FEDORA-2022-5cbd6de569)
The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
Fedora: Security Advisory for golang-github-envoyproxy-protoc-gen-validate (FEDORA-2022-3a63897745)
The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
[SECURITY] Fedora 35 Update: golang-github-envoyproxy-protoc-gen-validate-0.4.1-5.fc35
Protoc plugin to generate polyglot message validators...
envoyproxy/envoy: excessive CPU usage when handling a large number of HTTP/2 requests
An uncontrolled resource consumption vulnerability was found in envoyproxy/envoy. When envoy handles a large number of HTTP/2 requests which open and then reset the connection, it can cause excessive CPU usage. This flaw allows an attacker to cause a denial of service on the proxy. The highest...
PT-2021-22458 · Pomerium +1 · Pomerium +1
Name of the Vulnerable Software and Affected Versions: envoyproxy envoy, pomerium affected versions not specified Description: The issue concerns a problem in envoyproxy envoy and pomerium. No specific details about the nature of the issue or its potential impact are provided. Recommendations: At...
Authorization Bypass
servicemesh-proxy is vulnerable to authorization bypass. It allows specifically crafted requests to bypass authorization. Attackers may be able to escalate privileges when using ext-authz extension or back end service that uses multiple value headers for authorization. A specifically constructed...
RHEL 8 : Red Hat OpenShift Service Mesh 1.1.17.1 (RHSA-2021:3273)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3273 advisory. Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise...
RHEL 8 : Red Hat OpenShift Service Mesh 2.0.7.1 (RHSA-2021:3272)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3272 advisory. Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise...
CVE-2021-32780
A vulnerability was found in envoyproxy/envoy, in which the application terminates abruptly. The error occurs when envoy receives a GOAWAY frame followed by a SETTINGS frame with the parameter SETTINGMAXCONCURRENTSTREAMS to set 0. This flaw allows an attacker to cause a denial of service on the...
CVE-2021-32781
An out-of-bounds memory read vulnerability was found in envoyproxy/envoy. When using one of the following envoy extensions, it is possible to modify and increase the request or response body size of the following: the decompressor, json-transcoder, grpc-web, or other proprietary extensions. This...
CVE-2021-32779
An authorization bypass vulnerability was found in envoyproxy/envoy. When a URI path-based authorization policy is specified, envoy incorrectly evaluates the HTTP request which contains a URI fragment. This flaw allows an attacker to bypass the authorization policy and access downstream services...
RHEL 8 : Red Hat OpenShift Service Mesh 2.0.4 (RHSA-2021:1538)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1538 advisory. Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise...
Envoyproxy 路径遍历漏洞
Envoy is an open source distributed proxy server. Envoy is vulnerable to a path traversal vulnerability that could be exploited by an attacker to bypass the program's authorization services...
Denial Of Service (DoS)
servicemesh-proxy is vulnerable to denial of service. A NULL pointer dereference vulnerability in envoyproxy/envoy allows an attacker crash the application by establishing a TLS session that sends an invalid TLS alert code resulting in a denial of service...
RHEL 8 : Red Hat OpenShift Service Mesh 1.1.13 (RHSA-2021:1322)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1322 advisory. Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise...
CVE-2021-29258
A flaw was found in envoyproxy. An attacker, able to craft an HTTP2 request that specifies an empty metadata map, can crash envoy resulting in a denial of service due to the null reference. The highest threat from this vulnerability is to system availability...