91 matches found
CVE-2021-38698
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2...
CVE-2020-13623
JerryScript 2.2.0 allows attackers to cause a denial of service stack consumption via a proxy operation...
The vulnerability affects the FSM component of the software used for traffic management, load balancing, and security protection in BIG-IP Next Service Proxy for Kubernetes (SPK), as well as the access control and remote authentication mechanisms in BIG-IP. This allows attackers to cause service failures.
The vulnerability of the fsm component in BIG-IP Next Service Proxy for Kubernetes SPK, as well as in tools for access control and remote authentication, is related to improper cleaning or release of resources. Exploiting this vulnerability can allow a malicious actor to cause service failures...
Amazon Linux 2023 : ecs-service-connect-agent (ALAS2023-2025-926)
It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-926 advisory. Envoy is a cloud-native high-performance edge/middle/service proxy. Prior to 1.33.1, 1.32.4, 1.31.6, and 1.30.10, Envoy's extproc HTTP filter is at risk of crashing if a local reply is sent to the...
CVE-2024-53270
Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions sendOverloadError is going to assume the active request exists when envoy.loadshedpoints.http1serverabortdispatch is configured. If activerequest is nullptr, only onMessageBeginImpl is called. However, the...
Medium: ecs-service-connect-agent
Issue Overview: Envoy is a cloud-native high-performance edge/middle/service proxy. A security vulnerability in Envoy allows external clients to manipulate Envoy headers, potentially leading to unauthorized access or other malicious actions within the mesh. This issue arises due to Envoy's defaul...
BIT-ENVOY-2024-45807 oghttp2 crash on OnBeginHeadersForStream in envoy
Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's 1.31 is using oghttp as the default HTTP/2 codec, and there are potential bugs around stream management in the codec. To resolve this Envoy will switch off the oghttp2 by default. The impact of this issue is that envoy wi...
GO-2022-0559 HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. in github.com/hashicorp/consul
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. in github.com/hashicorp/consul...
CVE-2024-39305 Envoy Proxy use after free when route hash policy is configured with cookie attributes
Envoy is a cloud-native, open source edge and service proxy. Prior to versions 1.30.4, 1.29.7, 1.28.5, and 1.27.7. Envoy references already freed memory when route hash policy is configured with cookie attributes. Note that this vulnerability has been fixed in the open as the effect would be...
Amazon Linux 2 : ecs-service-connect-agent (ALASECS-2024-037)
The version of ecs-service-connect-agent installed on the remote host is prior to v1.29.5.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2024-037 advisory. Envoy is a cloud-native, open source edge and service proxy. A theoretical request smuggling...
BIT-ENVOY-2024-32976 Envoy can enter an endless loop while decompressing Brotli data with extra input
Envoy is a cloud-native, open source edge and service proxy. Envoyproxy with a Brotli filter can get into an endless loop during decompression of Brotli data with extra input...
BIT-ENVOY-2024-34362 Envoy affected by a crash (use-after-free) in EnvoyQuicServerStream
Envoy is a cloud-native, open source edge and service proxy. There is a use-after-free in HttpConnectionManager HCM with EnvoyQuicServerStream that can crash Envoy. An attacker can exploit this vulnerability by sending a request without FIN, then a RESETSTREAM frame, and then after receiving the...
CVE-2024-32976
Envoy is a cloud-native, open source edge and service proxy. Envoyproxy with a Brotli filter can get into an endless loop during decompression of Brotli data with extra input...
CVE-2024-34363
Envoy is a cloud-native, open source edge and service proxy. Due to how Envoy invoked the nlohmann JSON library, the library could throw an uncaught exception from downstream data if incomplete UTF-8 strings were serialized. The uncaught exception would cause Envoy to crash...
CVE-2024-34362
Envoy is a cloud-native, open source edge and service proxy. There is a use-after-free in HttpConnectionManager HCM with EnvoyQuicServerStream that can crash Envoy. An attacker can exploit this vulnerability by sending a request without FIN, then a RESETSTREAM frame, and then after receiving the...
CVE-2024-23326
Envoy is a cloud-native, open source edge and service proxy. A theoretical request smuggling vulnerability exists through Envoy if a server can be tricked into adding an upgrade header into a response. Per RFC https://www.rfc-editor.org/rfc/rfc7230section-6.7 a server sends 101 when switching...
CVE-2024-32974
Envoy is a cloud-native, open source edge and service proxy. A crash was observed in EnvoyQuicServerStream::OnInitialHeadersComplete with following call stack. It is a use-after-free caused by QUICHE continuing push request headers after StopReading being called on the stream. As after StopReadin...
CVE-2024-32976 Envoy can enter an endless loop while decompressing Brotli data with extra input
Envoy is a cloud-native, open source edge and service proxy. Envoyproxy with a Brotli filter can get into an endless loop during decompression of Brotli data with extra input...
CVE-2024-34362 Envoy affected by a crash (use-after-free) in EnvoyQuicServerStream
Envoy is a cloud-native, open source edge and service proxy. There is a use-after-free in HttpConnectionManager HCM with EnvoyQuicServerStream that can crash Envoy. An attacker can exploit this vulnerability by sending a request without FIN, then a RESETSTREAM frame, and then after receiving the...
CVE-2024-34362 Envoy affected by a crash (use-after-free) in EnvoyQuicServerStream
Envoy is a cloud-native, open source edge and service proxy. There is a use-after-free in HttpConnectionManager HCM with EnvoyQuicServerStream that can crash Envoy. An attacker can exploit this vulnerability by sending a request without FIN, then a RESETSTREAM frame, and then after receiving the...