Lucene search
+L

91 matches found

NVD
NVD
added 2023/04/04 4:15 p.m.16 views

CVE-2023-27487

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the client may bypass JSON Web Token JWT checks and forge fake original paths. The header x-envoy-original-path should be an internal header, but...

9.1CVSS8.8AI score0.00636EPSS
Exploits1References1
CVE
CVE
added 2023/04/04 3:42 p.m.183 views

CVE-2023-27487

CVE-2023-27487 affects Envoy (edge/service proxy). The issue: a client can forge the internal x-envoy-original-path header because Envoy does not remove it early in request processing, allowing forged values to influence trace/grpc logs and jwt_authn URL checks. Impact is high (confidentiality/in...

9.1CVSS8.7AI score0.00636EPSS
Exploits1References1Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2022/09/25 11:13 p.m.20 views

Security Bulletin: Ensure that DataPower services running in production environments are not configured to blindly echo requests. (CVE-2013-0499)

Abstract DataPower services like XML Firewall, Multi Protocol Gateway, Web Service Proxy and Web Token Service when configured to blindly echo requests could result in potential security vulnerability in production environments. Content VULNERABILITY DETAILS: DESCRIPTION: For the purposes of...

4.3CVSS6.1AI score0.01208EPSS
Exploits2Affected Software1
OSV
OSV
added 2022/06/09 7:30 p.m.30 views

CVE-2022-29227 Use after free in Envoy

Envoy is a cloud-native high-performance edge/middle/service proxy. In versions prior to 1.22.1 if Envoy attempts to send an internal redirect of an HTTP request consisting of more than HTTP headers, there’s a lifetime bug which can be triggered. If while replaying the request Envoy sends a local...

7.5CVSS7.2AI score0.01141EPSS
Exploits0References4
NVD
NVD
added 2022/02/22 11:15 p.m.38 views

CVE-2022-21656

Envoy is an open source edge and service proxy, designed for cloud-native applications. The defaultvalidator.cc implementation used to implement the default certificate validation routines has a "type confusion" bug when processing subjectAltNames. This processing allows, for example, an rfc822Na...

7.4CVSS0.0078EPSS
Exploits0References2
CVE
CVE
added 2022/02/22 10:45 p.m.170 views

CVE-2021-43825

CVE-2021-43825 is a vulnerability in Envoy where a buffer overflow during response processing in the filter chain may cause a use-after-free, potentially crashing the process and causing a denial of service. The provided connected documents (OSV, RHSA/Nessus listings) describe the issue as a use-...

7.5CVSS6.8AI score0.00877EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2022/02/22 10:35 p.m.34 views

CVE-2022-21654 Incorrect configuration handling allows TLS session re-use without re-validation in Envoy

Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised...

7.4CVSS8AI score0.01078EPSS
Exploits0References4
CVE
CVE
added 2022/02/22 10:20 p.m.162 views

CVE-2022-23606

CVE-2022-23606 affects Envoy. When a cluster is deleted via Cluster Discovery Service (CDS), idle connections to endpoints in that cluster are disconnected. A recursion was introduced in the disconnect procedure, which can lead to stack exhaustion and abnormal process termination when many idle c...

6.5CVSS5.5AI score0.01016EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2022/02/22 10:15 p.m.169 views

CVE-2021-43824

CVE-2021-43824 affects Envoy. In affected versions, a crafted request with a CONNECT to the JWT filter configured with a regex match can crash Envoy, enabling a denial-of-service. The root cause is tied to the JWT filter when regex matching is used. Impact is described as a partial availability l...

7.5CVSS7.2AI score0.01062EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2021/10/07 7:15 p.m.18 views

CVE-2021-41130

Extensible Service Proxy, a.k.a. ESP is a proxy which enables API management capabilities for JSON/REST or gRPC API services. ESPv1 can be configured to authenticate a JWT token. Its verified JWT claim is passed to the application by HTTP header "X-Endpoint-API-UserInfo", the application can use ...

6.4CVSS0.00375EPSS
Exploits0References4
OSV
OSV
added 2021/10/07 7:15 p.m.25 views

CVE-2021-41130

Extensible Service Proxy, a.k.a. ESP is a proxy which enables API management capabilities for JSON/REST or gRPC API services. ESPv1 can be configured to authenticate a JWT token. Its verified JWT claim is passed to the application by HTTP header "X-Endpoint-API-UserInfo", the application can use ...

5.4CVSS7AI score
Exploits0References4
Prion
Prion
added 2021/10/07 7:15 p.m.16 views

Authorization

Extensible Service Proxy, a.k.a. ESP is a proxy which enables API management capabilities for JSON/REST or gRPC API services. ESPv1 can be configured to authenticate a JWT token. Its verified JWT claim is passed to the application by HTTP header "X-Endpoint-API-UserInfo", the application can use ...

4.9CVSS5.6AI score0.00375EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2021/10/07 6:30 p.m.22 views

CVE-2021-41130 X-Endpoint-API-UserInfo can be spoofed in cloudendpoints Extensible Service Proxy

Extensible Service Proxy, a.k.a. ESP is a proxy which enables API management capabilities for JSON/REST or gRPC API services. ESPv1 can be configured to authenticate a JWT token. Its verified JWT claim is passed to the application by HTTP header "X-Endpoint-API-UserInfo", the application can use ...

6.4CVSS6.7AI score0.00375EPSS
Exploits0References4
CVE
CVE
added 2021/10/07 6:30 p.m.51 views

CVE-2021-41130

CVE-2021-41130 affects Extensible Service Proxy (ESP), specifically ESPv1, where the verified JWT claim is exposed to the application via the HTTP header X-Endpoint-API-UserInfo. If a client sends two such headers, ESPv1 only replaces the first, allowing the second header to reach the application...

6.4CVSS5.6AI score0.00375EPSS
Exploits0References4Affected Software1
CNNVD
CNNVD
added 2021/10/07 12:0 a.m.5 views

Extensible Service Proxy 安全漏洞

Extensible Service Proxy ESP is a proxy that enables API management for JSON/REST or gRPC API services. A security vulnerability exists in Extensible Service Proxy. No information about this vulnerability is available at this time, so please stay tuned to CNNVD or the vendor announcement...

6.4CVSS5.8AI score0.00375EPSS
Exploits0References5
Packet Storm
Packet Storm
added 2021/09/29 12:0 a.m.206 views

Google Extensible Service Proxy Header Forgery

Extensible Service Proxy a.k.a. ESP is an open source software by Google assisting Cloud Endpoints, a product on Google Cloud Platform. ESPv1 is an nginx based proxy which enables API management capabilities for JSON/REST or gRPC API services. In a typical deployment, ESP is running and fronting...

0.8AI score
Exploits0
NVD
NVD
added 2021/09/07 12:15 p.m.19 views

CVE-2021-38698

HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2...

6.5CVSS0.01523EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2021/09/07 11:45 a.m.47 views

CVE-2021-38698

HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2...

6.5CVSS6.6AI score0.01523EPSS
Exploits0
Wallarm Lab
Wallarm Lab
added 2018/11/29 4:6 a.m.61 views

Happy graduation, Envoy!

Envoy, the new darling of the DevOps community, performs the role of a service and edge proxy. With advanced features such as timeouts, rate limiting, circuit breaking, load balancing, retries, stats, logging, and distributed tracing are required to handle network failures in a fault tolerant and...

7AI score
Exploits0
CNVD
CNVD
added 2018/05/15 12:0 a.m.4 views

Moxa EDR-810 Denial of Service Vulnerability (CNVD-2018-11729)

The EDR-810 is a highly integrated industrial multi-port security router with firewall/NAT/VPN and two-layer manageable switch functionality. A denial of service vulnerability exists in the service proxy feature of the Moxa EDR-810 V4.1 build 17030317. An attacker can exploit this vulnerability b...

7.5CVSS6.7AI score0.01944EPSS
Exploits2References1
Rows per page
Query Builder