Lucene search
K

4433 matches found

Prion
Prion
added 2023/07/25 7:15 p.m.21 views

Design/Logic Flaw

Envoy is an open source edge and service proxy designed for cloud-native applications. Envoy allows mixed-case schemes in HTTP/2, however, some internal scheme checks are case-sensitive. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, this can lead to the rejection of requests wit...

5CVSS6.1AI score0.00598EPSS
Exploits1References1Affected Software1
CVE
CVE
added 2023/07/25 6:35 p.m.81 views

CVE-2023-35944

CVE-2023-35944 affects Envoy. The issue arises from case-sensitive internal HTTP/2 scheme checks, allowing mixed-case schemes (e.g., htTp, htTps) to be rejected or to bypass certain requests over unencrypted connections. The vulnerability exists prior to fixed releases and is mitigated by a patch...

8.2CVSS7.1AI score0.00598EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2023/07/25 6:35 p.m.25 views

CVE-2023-35944 Envoy vulnerable to incorrect handling of HTTP requests and responses with mixed case schemes

Envoy is an open source edge and service proxy designed for cloud-native applications. Envoy allows mixed-case schemes in HTTP/2, however, some internal scheme checks are case-sensitive. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, this can lead to the rejection of requests wit...

8.2CVSS9.1AI score0.00598EPSS
Exploits1References1
OSV
OSV
added 2023/07/25 6:35 p.m.21 views

CVE-2023-35944 Envoy vulnerable to incorrect handling of HTTP requests and responses with mixed case schemes

Envoy is an open source edge and service proxy designed for cloud-native applications. Envoy allows mixed-case schemes in HTTP/2, however, some internal scheme checks are case-sensitive. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, this can lead to the rejection of requests wit...

8.2CVSS6.5AI score0.00598EPSS
Exploits1References3
Tenable Nessus
Tenable Nessus
added 2023/07/25 12:0 a.m.20 views

Fedora 38 : aerc (2023-6cfe7492c1)

The remote Fedora 38 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-6cfe7492c1 advisory. Update to 0.15.2 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested for this...

5.3CVSS7AI score0.05623EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2023/07/25 12:0 a.m.23 views

Fedora 37 : aerc (2023-aa7c75ed4a)

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-aa7c75ed4a advisory. Update to 0.15.2 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested for this...

5.3CVSS7AI score0.05623EPSS
Exploits0References2
Fedora
Fedora
added 2023/07/23 1:29 a.m.38 views

[SECURITY] Fedora 38 Update: grpc-1.48.4-8.fc38

gRPC is a modern open source high performance RPC framework that can run in a ny environment. It can efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking and authentication. It is also applicable in last mile of distributed...

5.3CVSS5.6AI score0.00531EPSS
Exploits0
Fedora
Fedora
added 2023/07/23 1:24 a.m.29 views

[SECURITY] Fedora 37 Update: grpc-1.48.4-8.fc37

gRPC is a modern open source high performance RPC framework that can run in a ny environment. It can efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking and authentication. It is also applicable in last mile of distributed...

5.3CVSS5.6AI score0.00531EPSS
Exploits0
NVD
NVD
added 2023/07/13 9:15 p.m.12 views

CVE-2023-35945

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving RSTSTREAM immediately followed by the GOAWAY frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the GOAWA...

7.5CVSS0.01106EPSS
Exploits0References2
OSV
OSV
added 2023/07/13 9:15 p.m.7 views

AZL-27650 CVE-2023-35945 affecting package nodejs for versions less than 16.20.2-2

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving RSTSTREAM immediately followed by the GOAWAY frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the GOAWA...

7.5CVSS7.2AI score0.01106EPSS
Exploits0References1
Prion
Prion
added 2023/07/13 9:15 p.m.19 views

Memory corruption

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving RSTSTREAM immediately followed by the GOAWAY frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the GOAWA...

5CVSS7.3AI score0.01106EPSS
Exploits0References2Affected Software2
Cvelist
Cvelist
added 2023/07/13 8:41 p.m.18 views

CVE-2023-35945 Envoy vulnerable to HTTP/2 memory leak in nghttp2 codec

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving RSTSTREAM immediately followed by the GOAWAY frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the GOAWA...

7.5CVSS7.7AI score0.01106EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2023/07/13 8:41 p.m.18 views

CVE-2023-35945 Envoy vulnerable to HTTP/2 memory leak in nghttp2 codec

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving RSTSTREAM immediately followed by the GOAWAY frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the GOAWA...

7.5CVSS6.8AI score0.01106EPSS
Exploits0References2
AlpineLinux
AlpineLinux
added 2023/07/13 8:41 p.m.72 views

CVE-2023-35945

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving RSTSTREAM immediately followed by the GOAWAY frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the GOAWA...

7.5CVSS7.6AI score0.01106EPSS
Exploits0
CVE
CVE
added 2023/07/13 8:41 p.m.271 views

CVE-2023-35945

CVE-2023-35945 affects Envoy’s HTTP/2 codec. The root cause is in nghttp2 cleanup: after RST_STREAM and subsequent GOAWAY, cleanup of pending requests skips deallocation, leaking header/bookkeeping structures and causing memory exhaustion (DoS). Patched in these versions: 1.26.3, 1.25.8, 1.24.9, ...

7.5CVSS7.4AI score0.01106EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2023/07/13 6:35 p.m.97 views

CVE-2023-35945

A flaw was found in Envoy, where a specifically crafted response from an untrusted upstream service can cause a denial of service through memory exhaustion. This issue is caused by Envoy’s HTTP/2 codec, which may leak a header map and bookkeeping structures upon receiving RSTSTREAM immediately,...

7.5CVSS6.1AI score0.01106EPSS
Exploits0References4
IBM Security Bulletins
IBM Security Bulletins
added 2023/07/13 2:55 p.m.41 views

Security Bulletin: IBM Event Streams is vulnerable to a denial of service attack due to Golang Go (CVE-2022-41723)

Summary IBM Event Streams is affected by golang / golang-xnet vulnerability for version 0.7.0 CVE-2022-41723 Vulnerability Details CVEID:CVE-2022-41723 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a flaw in the HPACK decoder. By sending a specially-crafted HTTP/2 stream,...

7.5CVSS7.4AI score0.04561EPSS
Exploits0Affected Software1
Github Security Blog
Github Security Blog
added 2023/07/06 9:15 p.m.37 views

gRPC Reachable Assertion issue

There exists an vulnerability causing an abort to be called in gRPC. The following headers cause gRPC's C++ implementation to abort when called via http2: te: x x != trailers :scheme: x x != http, https grpclbclientstats: x x == anything On top of sending one of those headers, a later header must...

7.5CVSS6.7AI score0.00412EPSS
Exploits0References5Affected Software3
RedHat Linux
RedHat Linux
added 2023/07/06 3:1 a.m.2 views

golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests

A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache...

5.3CVSS6.6AI score0.05623EPSS
Exploits0References9
IBM Security Bulletins
IBM Security Bulletins
added 2023/07/05 9:52 p.m.53 views

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is affected by multiple vulnerabilities in Golang Go

Summary Potential vulnerabilities in Golang Go has been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. Refer to details for additional information. Vulnerability Details CVEID:CVE-2022-41722 DESCRIPTION: Golang Go could allow a remote attacker to traverse directories ...

7.8CVSS9.4AI score0.05623EPSS
Exploits7Affected Software1
Rows per page
Query Builder